President Bill Clinton enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. This legislation was put into place to protect the individually identifying information of patients. This created a set of national standards as to how this information must be secured and mandated the protocol for notifying patients of potential security breaches that could affect the integrity of the confidentiality of their information. There are some exceptions in which a patient’s information must be released, such as:
• To comply with a court order
• To locate a fugitive or other legally wanted person, such as a witness
• To report a crime
• To report abuse or neglect
What’s in a HIPAA Risk Assessment?
HIPAA compliance participation is mandated by the Department of Health and Human Services (HHS). A process that is known as a HIPAA risk assessment must be completed as proof that any health-related service is taking the necessary steps to ensure the proper handling of all protected health information or PHI. The nine standards dictated by the HHS that must be reported upon are:
• Scope of analysis – All media and documents must be examined for potential vulnerabilities, including: laptops, hard drives, paper handling or networks.
• Data collection – Practices for where patient information ends up after being gathered and the storage methods are examined.
• Identifying potential threats or vulnerabilities – Possible weaknesses in networks, data transportation or storage must be considered from all aspects.
• Assessment of current security measures – Encryption and user authentication must be evaluated for protective efficacy.
• Predicting the likelihood of a threat occurring – Considering potential risks or weaknesses in both analog and digital methods of dissemination, storage and transportation must be considered as a kind of risk analysis.
• Projected impact of a threat – A mock-up of the worst-case scenario should be considered, taking into account the maximum amount of people affected, data that could be breached and insurance and billing impacts.
• Level of overall risk for security breach – Implementing HHS standards, the likelihood of threats occurring and the projected severity of impact should be determined and accompanied by mitigation plans.
• Finalized report – An organized document must be submitted to the HHS, although no standard formatting exists.
• Periodic reviews and updates – The HHS doesn’t dictate specific timelines for periodic reporting, but anytime new technology or business practices are added, a fresh assessment should be performed.
hipaa regulations|HIPAA risk assessment software|how to be hipaa compliant|hipaa compliance software|what is hitech act|hipaa omnibus rule 