Security Risk Audits And Risk Mitigation Plans To Protect PHI

Posted by Ken Reiher

For Compliance Today: “Copyright 2019 Compliance Today, a publication of the Health Care Compliance Association (HCCA).”

Click Here To Download The Full Compliance Today Article.

In today’s fast-paced world, there is no limit to the number of risk areas that can be identified during a security risk audit. And, performing the audit is not enough. Healthcare organizations must establish rigorous controls and governance to mitigate identified risks.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and business associates conduct periodic risk assessments and implement risk mitigation plans. A risk assessment helps organizations ensure compliance with HIPAA’s administrative, physical, and technical safeguards, and helps expose areas where an organization’s protected health information (PHI) could beat risk.

Although healthcare organizations are required to perform periodic risk assessments, they are not required to proactively prove that they have done so. Typically, an organization’s assessment process is uncovered in one of two situations:

  1. The organization has had a significant reportable breach. When this happens, there will likely be an investigation by the S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR will request to see key documentation, such as when the last risk assessment was performed, what risks were mitigated in risk-level order, what HIPAA policies and procedures are in place, what evidence of key activities is documented (e.g., workforce training), and what protocols and controls were in place at the time of the breach.
  2. The OCR decides to perform a random audit based on current audit

This article outlines the case for conducting periodic security risk audits―going far beyond the required assessment. An organization’s primary motivation should be protecting the patients and itself. Passing an assessment is only one step in the process. Every organization must be keenly aware of high-risk areas and implement a proactive plan to address those risks.

To continue reading this articles please download the Compliance Today version.