First HIPAA Risk Assessment? Here’s what you should know.

first hipaa risk assessmentBy Chris Lyons

HIPAA compliance can be a daunting endeavor, especially if your organization has never faced this challenge. A HIPAA risk assessment can help you achieve compliance.

If you are considering your first HIPAA risk assessment, there are a few things you should know. Here are four points to get you on your way:

Understand your security environment

Prepare for the assessor’s visit by gathering information, having the right people available for the engagement, and explaining to your staff what is happening (i.e. why this stranger is on the premises).

Having the “right” people available depends on the company. Your assessor can tell you the types of positions/people who may be appropriate, but your understanding of your environment in designating these people is key.

Realize it’s an assessment, not an audit

Understanding the purpose of an assessment is important in moving forward: It is to help you understand where you truly stand and where your vulnerabilities lie so  you can fix them.

This is your chance to discover weaknesses and get clarification from a healthcare compliance expert. Your risk assessment is only as good as the information you provide. The more forthcoming and willing you are to work with your assessor, the more productive, accurate, and ultimately valuable your assessment will be.

A good HIPAA compliance consultant works with you as a partner. Be honest and share. Remember, an assessment is a learning exercise. Take this opportunity to understand what your security posture is and where the vulnerabilities are, and to get a plan in place to remediate those problem areas.

Know where you stand on documentation

HIPAA is a legislation based on documentation. Therefore, having a proper process or security control in place is not enough: All processes should be documented in a policy and procedure. In addition, all documentation should be straightforward and easily accessible/centrally located.

Conversely, if it’s documented, it needs to be true. Documenting a process you are not actually doing will be discovered.

Be patient

Organizations must work diligently toward healthcare compliance. We rarely see companies that immediately achieve 100% compliance. While a HIPAA risk assessment can provide you a baseline, very few organizations achieve an acceptable level of compliance with their first attempt. To this end, you may want to consider a healthcare compliance program to provide a roadmap for achieving and maintaining HIPAA compliance long-term.

Sword & Shield’s HIPAA Compliance Program (HCP) is a partnership between Sword & Shield and your organization to help you achieve and maintain a highly secure and compliant state well beyond the first HIPAA risk assessment. The HCP provides a cost-effective way for organizations to ensure on-going compliance with the HIPAA Security, Privacy, and Breach Notification rules.

If you are facing your first HIPAA risk assessment and want assistance, contact Sword & Shield. Our free consultation is the first step to helping get you on your way to achieving and maintaining HIPAA compliance.

Chris Lyons HIPAA Compliance Consultant

Chris Lyons, CISSP, HCISPP, PCI DSS QSA, Certified HITRUST Practitioner
Senior Security Consultant

Chris Lyons provides expert security consulting services for HIPAA compliance for healthcare companies of all sizes. Chris writes, reviews and edits corporate security and privacy policies and procedures, and provides remote as well as onsite security reviews for hospitals, doctor offices, radiology, dental, and other providers who work with Protected Health Information (PHI) to ensure their HIPAA compliance.


Comments are closed.