While it is required within HIPAA rules and regulations to complete a risk assessment regularly, the question may still be in your mind regarding WHY you have to do this.
The legal ramifications are obvious. If audited, you’ll have to show a risk assessment as part of your HIPAA compliance program. And remember, an audit or investigation can be triggered for several reasons, from an employee or patient complaint to a data breach. We could stop there with listing reasons to complete one, but there are other factors that you should understand that will perhaps make you more determined to perform one for your organization outside of HIPAA regulations.
Beyond the Realm of Law
There are other reasons that while not in the legal realm of HIPAA, are as critically important for your business to perform a risk assessment. First and foremost, you need to identify weaknesses before you can address and correct them. And every organization has weak spots that could be strengthened, so ignoring this is simply putting your head in the sand if you think your business is excluded or “above” such instances.
Identifying and acknowledging the risks that could compromise your patient’s protected health information (PHI) is a detailed way to understand how it can happen. From there you can create a remediation plan to prevent those weak spots in your organization from being exploited. This is the follow up to your risk assessment and is often referred to as a risk management plan. Once you have this foundation, you can build upon it and reduce your risk of a breach or employee mistake, but even more importantly, know how to react if one should happen. A remediation plan should be updated as you make improvements, but it is also important to document why you may not have moved forward with addressing a weakness at this time.
HIPAA compliance can seem overwhelming, but this first step is going to give you a map that is as critical to your success as a business plan was to you launching your business in the first place.
Still Not Sure?
Imagine showing up to an IRS audit and telling them that you don’t have any completed tax returns. You’d be fined, you’d be scolded, and you’d be in trouble. And you would still have to do the tax returns. Not having your documented risk assessment is going to put you in the same situation.