HIPAA Risk Assessment Explained

January 12, 2016

HIPAA Risk Assessment Explained

It would seem that the definition of a HIPAA Risk Assessment would be straightforward since it is a requirement for HIPAA compliance. But as with many other requirements written by Health and Human Services (HHS) it requires some interpretation. HHS says there are many forms of risk assessment and leaves it up to the organization to choose the one that is appropriate for them. The only form that they specifically mention is a risk assessment done using the NIST protocol. To most small companies this is not illuminating but let’s just accept that as the gold standard.

Where can you get a risk assessment utilizing the NIST protocol? You could call one of the large accounting or consulting firms and ask for a quote on a NIST risk assessment but the price tag is going to be in six figures. Or you could look for a smaller consulting firm that might do it for five figures.

The next level down would be a consultant using their own protocol. This would be based on their experience and would not be as credible to an outside party such as a client or business partner.

Remember that a HIPAA risk assessment is a two edged sword. It helps manage the internal process of compliance by identifying risks, and it provides proof to external entities such as regulators, clients, and business partners that you are actively protecting PHI.

What if you want the gold standard but don’t have enough gold? Automation is the answer. Instead of sending high priced consultants to your site what if the HIPAA risk assessment could be done remotely using sophisticated tools developed using the NIST protocol?

Here is how this works: A certified HIPAA consultant walks you through an on-line questionnaire using the NIST safeguards. If appropriate, a scanner developed by the federal government is attached to your network and evaluates the risks. At the conclusion of this process you receive a risk assessment report and gap analysis and you assign personnel to mitigate the identified risks. Quarterly, you use the same tool to assess and document your progress.

If you would like more information or would like to be notified when the next HIPAA Risk Assessment 101 webinar is schedule send me an email at Jack@compliancehelper.com or go to our website at www.compliancehelper.com and try the Free HIPAA Risk Assessment.


Back to News