You may have asked yourself – how HIPAA compliant are we really? What constitutes HIPAA compliance? How often do I need to check?
There are numerous requirements for HIPAA compliance – performing an annual risk assessment, up-to-date training, maintaining current policies and procedures, having a contingency plan, having your data encrypted at rest and in motion, continuous monitoring of all networks and networked devices, just to name a few.
Those are a lot of things to contend with but where should you start? As Maria says in “The Sound of Music,” you start at the very beginning. For HIPAA compliance, it is the Risk Assessment. The risk assessment will let you know where you stand on all matters related to HIPAA compliance.
In fact, the U.S. Department of Health and Human Services’ Office of Civil Rights (the entity entrusted with HIPAA compliance) agrees. As a result of their first round of federal HIPAA audits and in all of their investigations of HIPAA compliance, what the OCR noticed as the number one problem behind a HIPAA breach or a bad HIPAA Compliance audit was the lack of a current HIPAA risk assessment. The OCR has also stated that in their next round of HIPAA audits, which began in 2015, they are concentrating on the covered entities’ risk assessment (or lack thereof).
Performing a HIPAA risk assessment can be daunting task (generally the reason they are not being done in the first place). If your company has annual revenues of more than $5 million dollars, your “official” risk assessment needs to be done by a third-party. If your company’s annual revenues are less than $5 million, you can perform a self-administered risk assessment. In either case, the risk assessment is the place to start.
At Third Rock, we have further simplified this process regarding the risk assessment. We have created the Third Rock HIPAA Quick-Check . This is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA(annual risk assessments, training, current policies and procedures, contingency plans, encryption of data, continuous monitoring of devices, etc.). Remember, this is not a full risk assessment; it is just a Quick-Check™.
If your organization decides to pursue a complete, official risk-assessment, Third Rock can perform these services for you – we provide both self-assessments as well as third-party assessments, depending upon your company’s size. After the risk assessment is performed, you will receive the results of your HIPAA Risk Assessment and a Risk Remediation plan to address any shortcomings. Plus, we’ll help you step-by-step through the remediation identified in the risk assessment.
And that’s how you get started.
Read the next post in the HIPAA Compliance series.
Additional Resources:
- Third Rock’s HIPAA and Cyber-Security Blog
- Third Rock’s HIPAA and Cyber-Security Newsletter & Subscription page
- Third Rock – Webinar Video