Let’s be honest, if you are reading this, you probably still have “complete your HIPAA Security Risk Assessment (SRA)” on your to-do list and you are wondering what you can do to get it done before the end of the year. (December 31st is right around the corner) We understand procrastination, but we also understand the importance of HIPAA compliance and the key reasons behind completing an SRA.
Organizations that participate in CMS Promoting Operability (MACRA/MIPS) know a risk assessment is required to be completed on an annual basis, and failure to do so will affect your payment adjustment for that year. That being said, completing a risk assessment doesn’t just apply to MIPS organizations. ANY organization that handles ePHI is required to complete a risk assessment. Doing so will help you identify if the existing security measures are sufficient or vulnerable to evolving/correct threats particularly with new applications. Hundreds of organizations experience a breach each year, completing an SRA will help fix those vulnerabilities before they become a large problem i.e., breach, ransomware attack, etc.
Is it too late to complete your HIPAA risk assessment? No, there is still time. Reading further, you will find the critical steps you need to take to complete a risk assessment before the December 31st deadline.
Information Gathering
The first step is to gather the necessary information within the scope of the assessment. This involves communicating with individuals responsible for certain systems and processes to make sure that there are security and HIPAA controls in place at the organization. The list of relevant individuals includes HIPAA Compliance Officers, IT, HR, and more. But tracking down these individuals and collecting the requisite policy and procedure information can be tough to do on your own.
Analysis
This is where automation really comes in handy. After gathering the necessary information, it’s time to cross reference your results with HIPAA citations and security controls to determine if there are gaps in your compliance. This is the bona fide “assessment” part of the process. Ideally, a final report prioritizing compliance gaps and security concerns will be generated (not an easy thing to produce on your own). After the analysis is complete, if you can wrap your head around and identify your compliance gaps, you need to start planning for remediation.
Planning and Remediation
HIPAA compliance is a bit of a moving target, and no organization is perfectly HIPAA compliant at any given moment. When compliance and security gaps are discovered, they should be broken down into remediation items, or tasks that must be accomplished to address said gaps. Don’t worry, when you have completed a security risk assessment and a remediation plan is in place, you are considered “HIPAA compliant”, so long as you follow through on your remediation and action plan throughout the next calendar year. HIPAA compliance is all about showing that you are putting your best effort in to making your organization and specifically health information more secure. A proper remediation plan should include specific tasks, completion deadlines, and assignees for each remediation item. Organization and accountability are key. Friendly, automated reminders are helpful too.
This seems like a lot, right? Correct, it is actually TOO much to do on your own in a single month. But lucky for you, Intraprise Health’s HIPAA One® software is an automated solution designed to help you do just that! Let’s touch back on each of the above critical SRA steps and explain how the HIPAA One® software can help you accomplish each with minimal effort from you and your team.
- Information Gathering – The HIPAA One software gathers the necessary assessment information through a series of interview questions prompting you to answer a “yes or no” question. Each of these questions tie back to one or more HIPAA citations. We have taken the time to whittle down each and every dull and confusing HIPAA citation required by the OCR (we even left them in, in case you like reading those things) into a simple question. You can assign delegates (specific people) to sign into the software and answer groups of questions relative to their role, like IT-specific questions to IT individuals.Example Question: “Does the organization have a policy and procedure with a formal process where HR notifies IT of staff termination or other reasons to revoke server/network access”When responding to survey questions, you have three options. If you answer “yes”, you must provide proof by uploading a policy and procedure (these will be reviewed later to determine if they are adequate). If you answer “no”, no big deal, we will provide you with a policy and procedure template which you can edit to your liking and specific circumstances. If you answer “not reasonable or appropriate for our circumstances” you will need to provide a brief explanation. The HIPAA One® dashboard allows you to check the progress of interviews and the delegates assigned to each.
- Analysis – After we have gathered the necessary information, the software does its magic and you can sit back and enjoy the show (well actually there is nothing to watch because the analysis happens in just a few seconds, but go ahead and take a well-deserved break anyway). The analysis will bring back a report identifying compliance and security gaps with a risk score associated with each, helping you understand where your risks are and how to prioritize and then address them.
- Planning and Remediation – As part of your final report generated by the software, you can visualize each of your gaps and create remediation tasks to address them. The software allows you to assign tasks to individuals and set deadlines and automated task reminders. Instructions and updates can be typed next to each task to help you better coordinate and communicate across the organization.Example Remediation Plan: High Risk, Compensating controls, action plan, target date, and assignee.
Despite what you may be thinking, it is NOT too late to complete your HIPAA Security Risk Assessment. With a little help, you can be done before the holidays. HIPAA compliance is boring and time consuming, but it doesn’t have to be. Don’t wait any longer, contact us now to get started.