There is an article over at HealthIT Security that discusses the new Department of Health and Human Services – HHS security risk assessment tool. The article interviews Alisa Chestler a shareholder in the Washington, D.C. office of Baker Donelson. Alisa shares many of the same thoughts I had when I reviewed the tool for the first time. I urge you to read the whole article but below are some highlights.
Is it robust enough and does it help providers get to where they want to be?
I’d be concerned about fatigue on the part of smaller providers once they are looking at the tool. There’s the potential that they don’t think it’s meant for them or they want to give up, but they have to reach that stage of acceptance. What struck me about the Security Risk Assessment Videos included within the tool was they can help prepare the provider for that fatigue. You can’t sit down in a few hours and complete quickly or easily. There’s the expectation that in working through the tool, clinical staff will have to pause or do other things and then come back to it because there’s much more inside the tool than they expected.
Next, the government has provided this tool for smaller providers. But there’s no assurance that it will prevent them from having a breach or fully cover them in the event of a breach. Fundamentally, though, without it they’re at a total loss. So maybe this is a step in the right direction, but it’s a big step.
Where does the tool fit into an organization’s HIPAA compliance plans?
The Security Risk Assessment is Step 1 in HIPAA Security compliance. Years ago, everyone may have had off the shelf policies and procedures, but you can’t do that anymore because everyone has such a different way of doing it. In most of the enforcement actions that we’ve seen over the past two years, the first thing that the government points out is a failure of a security risk analysis.
Understand a HIPAA Risk Assessment
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process