After the Risk Assessment, Then What? How Often Do I Need to Check?

by | Feb 16, 2016 | Compliance & Security, Compliance Technology, Disaster Recovery (BCDR)

As we noted previously, there are numerous requirements for HIPAA compliance.  A follow-up question often heard is “How often do I have to do these things?”

Risk assessments officially need to be performed on an annual basis but regularly reviewing your risk remediation plan throughout the year is a business “best practice” for any organization.

Policies and Procedures need to be reviewed and changed depending upon federal law changes and changes in your organization.  New processes, new technologies, new locations may require revisions to your Policies and Procedures.

Monitoring of your networks and equipment needs to be done at least weekly for most organizations.  Any aberrations or irregularities in system configurations or file integrity identified in your networks or equipment should be addressed immediately.  Additionally, an inventory of your networks and equipment should be done at least annually with quarterly updates or after major IT procurements.

Privacy and security training should be done at least annually for all staff and with all new hires.  Any changes to the organization should be accompanied by refresher classes.  New employees need to be HIPAA trained within 30 Days.

Contingency plans should be reviewed annually, making sure plans and options for data back-up, disaster recovery, and emergency mode operation are all still viable strategies for the organization in the event of an interruption to the normal course of operations.

If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-Check, This is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA(annual risk assessments, training, current policies and procedures, contingency plans, encryption of data, continuous monitoring of devices, etc.).  Remember, this is not a full risk assessment; it is just a Quick-Check.

Articles in the series:

  1. How to get Started: Risk Assessment
  2. Breach Detection
  3. Education
  4. Data Protections
  5. Planning for Emergency Events
  6. How Often Do I Need to Check? (This Article)

Sign up for our newsletter on the right side of this page to learn more and stay informed about HIPAA and cyber security.