June 9, 2015

Assessment Series: HIPAA Risk Assessment

Travis Good, MD

Co-founder & Chief Technology Officer

All organizations that are responsible for PHI, which includes hosting providers like Datica, are mandated to conduct a HIPAA risk assessment as the first step toward integrating preventatives stipulated in the HIPAA Security Rule by The Department of Health and Human Services, and ultimately attaining true HIPAA compliance.

So what does a HIPAA Risk Assessment require?

The Department of Health and Human Services has defined nine necessary constituents of a HIPAA risk assessment that all healthcare and healthcare-related organizations that store or share ePHI must include in their assessment document:

  1. Assessment Scope - Inclusive of any and all potential risks and susceptibilities to the privacy, procurability, and morality of ePHI. Organizations should be inclusive of electronic media that is utilized such as portable devices, networks, and desktops. If there are multiple sites, it is important to include the network security between them in the scope; this includes your hosting terms with third-parties or business associates.

  2. Data Reserve - Where is the data being stored, collected, conserved or transmitted?

  3. Specify and Record Latent Risks and Susceptibilities - Predicting future HIPAA violations can really help your organization rapidly and effectively find a resolution.

  4. Evaluate Existing Security Measures - This will include any encryption, two-factor authentication, and all other security methods that your HIPAA hosting provider has put in effect.

  5. Evaluate the Feasibility of a Risk Occurring - In association with #3, this will accurately estimate the possibility of an ePHI breach.

  6. Evaluate the Impact a Risk Occurrence Could Have - Assess how many people could be affected and the level of PHI that could be exposed, inclusive of health information and billing information.

  7. Assess the Level of Risk - The Department of Human and Health Services recommends taking #5 and #6 to establish the level of risk. When documenting these risk levels, accompany with them a list of actions that would be performed in a mitigative response.

  8. Prepare Documentation - There are no parameters around documentation formatting but the assessment must be in writing.

  9. Regular Reviews and Updates to HIPAA Risk Assessment - It is crucial that the assessment is ever ongoing. It is recommended that a new assessment is taken whenever new processes, technologies, or operations are introduced into an organization.

Curious how we at Datica do our HIPAA Risk Assessment?

Check out our Datica HIPAA Docs for further detail on how we ensure HIPAA compliance.

tag Company


Assessment Series: HIPAA Security Assessment

Travis Good, MD

Co-founder & Chief Technology Officer

In this second entry of our Assessment Series we explore what a HIPAA Risk Assessment is and why it is crucial handling PHI.

event-note June 16, 2015

How long to keep medical records under HIPAA?

Travis Good, MD

Co-founder & Chief Technology Officer

Guess what? HIPAA doesn't say how long you have to keep medical records. This is a common misconception of HIPAA data retention policy.

event-note April 17, 2014

What does it take to be a 100% HIPAA compliant cloud company?

Travis Good, MD

Co-founder & Chief Technology Officer

Datica has spent extensive time and money on security and organizational policies and procedures specifically to comply with HIPAA and share with our customers.

event-note July 27, 2017

Assessment Series: HIPAA Compliance Assessment

Travis Good, MD

Co-founder & Chief Technology Officer

The HIPAA Compliance Assessment was created to help meet the objectives of HIPAA while also providing insights into possibilities for streamlining processes and lowering costs.

event-note June 24, 2015