HIPAA Security Risk Assessments for Securing Electronic Protected Health Information (ePHI)
Since its enactment into U.S. federal law in 1996 with oversight provided by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities and their business associates to conduct annual Security Risk Assessments (SRAs) to assess the potential risks and vulnerabilities of electronic protected health information (ePHI) of patients.
According to HHS, patients are also protected under the HIPAA Privacy Rule (enacted in April 2003), which gives patients’ rights over their health information and sets rules and limits on who can look at and receive patient information, whether electronic, or oral. The Privacy Rule, as well as all Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). Furthermore, the HIPAA Security Rule is a federal law requiring security for health information in electronic form. Also, the Patient Safety Act and Rule establishes a voluntary reporting system to enhance data available to assess and resolve patient safety and health care quality issues, and provides confidentiality protections for patient safety concerns.
According to HHS, as of April 30, 2020 and since the compliance date of the Privacy Rule in April 2003, OCR has received over 233,581 HIPAA complaints and has initiated over 1,002 compliance reviews, for which 99% of cases have been resolved. Furthermore, OCR has investigated and resolved over 27,987 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve. OCR has enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR has settled or imposed a civil money penalty in 75 cases resulting in a total dollar amount of $116,303,582.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
HIPAA Risk Assessments as a Service
We are able to conduct a risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of your ePHI that your company collects, stores, processes or transmits against HIPAA standards so you are able to lack of or deficient internal controls in order to avoid penalties and security breaches.
Furthermore, we provide periodic, follow-up remediation reviews to help evaluate whether your company is complying with HIPAA standards following a HIPAA risk assessment. Our risk assessment includes
(1) Review of PHI inventory to determine where electronic and other data is located;
(2) Examination of safeguards required by HIPAA (administrative, physical, and technical, as well as the latest Omnibus rules;
(3) assessment of current HIPAA and IT security compliance operations, including safeguards in place, vulnerabilities, and specific threats to safeguards;
(4) Evaluation of existing security policies and procedures
(5) Risk remediation plan identifying the high, medium, and low risks with recommendations appropriate to the size of your organization.