Security Risk Assessment

Let’s discuss the Security Risk Assessment. There are 5 steps within the Security Risk Assessment that our practices must review on an annual basis.


Gap identification and remediation; by completing self-audits we allow our organizations to determine any gaps in protecting our patient’s PHI. A remediation plan is meant to address those gaps by creating a plan to fix the issues. Remediation plans must be documented, including dates in which efforts will be implemented.


Policies, procedures, and training; policies and procedures must be created for an organization’s specific needs. An effective compliance program includes policies and procedures created for your specific practice and this information should be stored in your HIPAA privacy manual.


Employee attestation and tracking; an organization is not HIPAA compliant if they don’t document their efforts. You must have a way to prove that your employees have completed HIPAA training. Employee attestation is when an employee reads through an organization’s policies, procedures, and training material and legally confirms that they have read and understood all of the materials.


Business Associate management; organizations working within healthcare must secure Business Associate Agreements or BAA’s with any vendors or business associates whom may have access to PHI. A BAA must be executed before PHI can be shared between the two parties. A BAA also ensures that each party is HIPAA compliant. It limits the liability for both parties involved as it says that parties are accountable for themselves, meaning that in the event of a breach, only the responsible party will be held accountable. However, organizations that don’t properly obtain a BAA with their vendors will also be held accountable if a breach occurs. BAA’s must be reviewed annually to incorporate any changes in the nature of an organization’s relationship with the vendor.


Incident management; in the event of a data breach, healthcare organizations and the vendors that service them are required to report the incident. The HIPAA Breach Notification Rule requires organizations to, of course, report breaches to the Department of Health and Human Services as well as to the affected individuals. In the case of a meaningful breach, affecting more than 500 individuals, organizations must also report the incident to the media. Organizations are required to report the incident within 60 days of discovering the incident. We must always document this information. Now, when organizations experience a minor breach, affecting less than 500 individuals, they have until the end of the calendar year to report the incident and they don’t need to report it the incident to the media. Having these policies and procedures in place within that HIPAA manual will help to provide us guidance throughout the years.