HIPAA Assessment

HIPAA compliance is a fundamental aspect of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law mainly focused on protecting sensitive patient health information from being disclosed without the patient's consent or knowledge. The law provides baseline privacy and security standards for the medical information of US citizens.

The standard is applicable to covered entities and their business associates like health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions that involve digital transmission of patient health information (PHI)

HIPAA Regulation divided into Security Rule, Privacy Rule, Transactions and Code Sets (TCS) Rule, Unique Identifiers Rule, Breach Notification Rule, Omnibus Final Rule. HIPAA Security Rule requires implementation of 1) Administrative, 2) Physical, and 3) Technical safeguards.In Addition, it imposes other organizational requirements and a need to document processes analogous to the HIPAA Privacy Rule.

Office of Civil Rights (OCR), explains the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities and complexity. As per OCR, the key objectives of a HIPAA risk assessment are :

• Identify the PHI that your organization creates, receives, stores and transmits including PHI shared with consultants, vendors and Business Associates.

• Identify the human, natural and environmental threats to the integrity of PHI human threats including those which are both intentional and unintentional.

• Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.

• Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.

• Document the findings and implement measures, procedures and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.

• HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.