A lot of confusion continues to swirl across the difference in between a HIPAA Security Assessment versus HIPAA Security Risk Analysis. No wonder, the phrases are very frequently used as alternatives.
Let’s end the confusion…
Technically, one may argue with regards to regulatory compliance of any kind, three types of
assessments can be completed:
First one is Compliance Assessments (Evaluation, in HIPAA Security Last Rule parlance) solution concerns like:
“Where do we stand with respect towards the laws?” and “How nicely are we attaining ongoing
Second one is Threat Assessments (Analysis, in HIPAA Safety Last Rule parlance) answer concerns like:
“What is our threat publicity to info property (e.g., PHI)?” and “What do we need to complete to mitigate risks?”
Third one is Readiness Assessments answer concerns like:
“Have we applied adequate privacy safeguards?”,
“Have we applied adequate safety safeguards?” and are we prepared for audit.
A thorough hipaa compliance or HIPAA Safety Compliance Evaluation broadly covers all elements from the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Bodily and Technical Safeguards (CFR 164.308, 310, 312) within the HIPAA Safety Final Rule. Additionally, this evaluation must cover CFR 164.314 and 316 associated to Organizational requirements, Policies, Procedures and Documentation.
As indicated above, completing this Hipaa compliance or HIPAA Security Compliance Evaluation is needed by each Coated Entity and Business Affiliate.
The language from the law is in 45 C.F.R. § 164.308(a)(eight):
Standard: Analysis. Perform a periodic technical and non-technical evaluation, primarily based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the safety of electronic protected health info, which
establishes the extent to which an entity’s safety policies and procedures meet the requirements of
this subpart.
This type of evaluation is a vital step and should be completed regardless of whether one is just beginning a Hipaa compliance or HIPAA Security Compliance plan, rejuvenating a current plan and maintaining a current program. The output of the evaluation establishes a baseline against which overall progress could be measured by the executive team, hipaa compliance or threat officer, audit committee or board. Believe Risk watch. At the finish of such an analysis, one would possess a Summary Compliance Indicator such as the one proven within the subsequent Security Analysis Compliance
Hipaa risk assessment Dashboard
A HIPAA Security Threat Analysis (§164.308(a)(1)(ii)(A)) is also needed by law to become carried out by every Covered Entity and Business Associate. Additionally, completion from the Threat Evaluation is really a core requirement to fulfill Meaningful Use goals. Section 164.308(a)(one)(ii)(A) from the
HIPAA Security Final Rule states:
Risk Assessment (Required).
Conduct a correct and thorough assessment from the potential risks and vulnerabilities towards the
confidentiality, integrity, and availability of digital protected health information held by the
As needed by The HITECH Act, the Office of Civil Rights, inside the Department of health and Human Services (HHS), has issued last “Guidance on Hipaa Risk Assessment Requirements under the HIPAA Security Rule”. This guidance was published on July eighth, 2010. No specific methodology was indicated. Nevertheless, the guidance describes 9 (9) essential components a Risk Analysis should incorporate, regardless of the risk evaluation methodology employed. We have created a Risk Analysis methodology and ToolKit about these components while utilizing business greatest practices.
As an example, upon evaluation of every information asset that produces, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of threat, along with mitigation actions involving new safeguards or controls:
HIPAA Security Threat Evaluation Summary Risk Level
Upon completion from the Threat Evaluation for all info assets, an general Threat Analysis Project Monitoring device could be utilized to make certain ongoing project management of the implementation of safeguards:
So, when it comes to HIPAA Security Compliance Evaluation, think:
· Forest-level watch
· Overall compliance using the HIPAA Security Last Rule
· Establishing baseline analysis score for measuring progress
· Asking: Have we documented suitable policies and procedures, etc?
· Asking: Are we performing against our policies and procedures?
When it comes to Hipaa risk assessment or HIPAA Security Threat Analysis, believe:
· Trees/Weeds-level view of each info asset with PHI
· Assembly a particular step in the overall compliance procedure
· Understanding current safeguards and controls in place
· Asking: What are our particular risks and exposures to information property?
· Asking: What do we need to do to mitigate these risks?
The Hipaa compliance Evaluation and the Hipaa risk assessment are, needed by law which are important and necessary steps in your safe HIPAA compliance journey.