HIPAA Security Risk Assessments and HIPAA Business Associates – What You Need to Know
Conducting annual HIPAA Security Risk Assessments (SRA) and drafting binding usage agreements with your HIPAA Business Associates is more critical than ever.
But unfortunately, HIPAA compliance remains to this day a challenge for operators in the healthcare industry. With a growing list of demands from patients to infrastructure changes that see more information than ever added to the digital realm, sustaining compliance is proving more challenging than ever before.
Understanding HIPAA Security Risk Assessments (SRA)
Security Risk Assessments (SRAs) are mandated by HIPAA’s Security Rule. They require providers to have adequate safeguards in place for Protected Health Information (more on this later).
Healthcare providers must assess all precautions annually to ensure they adequately meet the stringent standards outlined in the Security Rule.
Protected Health Information (PHI) is considered “individually identifiable information relating to the past, present, or future health status of an individual. Created information regarding the patient collected, transmitted, or maintained by a HIPAA-covered entity concerning healthcare provision, payment for healthcare services, or use in healthcare operations.”
A lot to unpack, right?
Think of it as any information produced or transmitted related to an individual’s general health in a medical setting. PHI requires information that generally remains confidential. That is unless those associated with the specific PHI explicitly request it.
HIPAA Business Associates are any business or organization that plays a role in a HIPAA covered entity’s general performance but not explicitly covered under HIPAA.
Here are some examples of what these could be:
- A third-party claims processor
- An accounting firm that must access patient data to provide services to a healthcare provider
- The attorney for a healthcare provider
- Healthcare clearinghouses that translate claims from non-standard formats to standard formats
- Freelance medical transcriptionists
These associates perform certain functions involving the use or disclosure of protected health information either through services provided to or action taken on behalf of a covered entity.
Under the Omnibus Rule, HIPAA Business Associates must follow HIPAA Security and Privacy mandates.
To ensure compliance, the HIPAA Security Rule mandates that healthcare providers have an adequate safeguard to protect PHI.
Part of this process is conducting a HIPAA Security Risk Assessment by December 31st of each year.
Covered Entities must conduct a broad overview of their vulnerabilities. They must also adequately assess the risk levels as part of the process. Once this information is understood, they must evaluate the level of protection they have in place and determine if there’s adequate protection against their risk level.
To assist with this process, the Office of the National Coordinator of Health Information Technology has created a security risk assessment tool. You can access it here.
The assessment tool can be helpful and plenty of sources can speak to suggested routes to conduct one’s assessment. But the Department of Health and Human Services (HHS) doesn’t explicitly describe the requirements for meeting Covered Entity successfully.
As you can imagine, this often leads to confusion. Not to mention, Covered Entities being subject to fines or other penalties associated with improper protection of PHI.
Failure to complete your annual HIPAA Security Risk Assessment
Speaking of fines, the average penalty for failure to complete your annual SRA is 1.5 million dollars.
It’s worth noting these penalties aren’t necessarily issued when a breach has occurred—the Office of Civil Rights realizes they’re inevitable. Instead, a penalty is due as a safeguard that may themselves lead to a breach.
Such a situation occurred in 2019 when the University of Rochester Medical Center was fined $3,000,000 for failure to encrypt mobile devices. This case highlights the importance of completing your annual SRA. It’s especially important when you consider HIPAA enforcement, which is up 400 percent in recent years.
There are many moving pieces when it comes to HIPAA compliance. These pieces can lead to confusion among even the most sophisticated and well-organized healthcare providers.
But at the same time, the information protected under HIPAA is some of the most confidential information patients within the healthcare system have! This explains the consequences of failing to complete your annual HIPAA Security Risk Assessment.
The protection of their information plays a vital role in propping up the trust and professionalism necessary for a functional healthcare system. Compliance should be one of the top priorities of all Covered Entities and their Business Associates. They should also regularly continue to assess and address all vulnerabilities.
Secure IT Solutions for Your Business
CloudNexus is here to help you keep your organization secure. We combine traditional IT managed services with advanced cybersecurity management for the comprehensive protection you need. Want to learn more? Click here for a free preliminary cybersecurity analysis. You can also contact us or call (502) 440-1380.
Did you learn a lot about HIPAA Security Risk Assessments in this post? Here are three more to read next:
Cyber-Security Insurance- Does Your Healthcare Facility Need a Policy?
Replacement Screens to Hijack Phones
VPN for Healthcare Workers who work from Home – Security Risks