What is a HIPAA Risk Assessment?

The HIPAA Risk Assessment is a standard found in the Health Insurance Portability and Accountability Act (HIPAA) which was introduced in the original HIPAA Privacy Rule.

HIPAA sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) in this manner must ensure that all required physical, network and process security measures are kept in place and followed by the organization.

The Updates On The HIPAA Risk Assessment Rule

Before 2013, it was a requirement that all covered entities (including doctors, hospitals, etc.) conduct a Risk Assessment.

In 2013, the Final Omnibus Rule updated the HIPAA Security Rule, extended portions of the HIPAA Privacy Rule and the Security Rulemaking the requirement of conducting HIPAA risk assessments directly applicable to Business Associates. At the same time, this increased the amount a Business Associate could be fined for non-compliance with HIPAA regulations.

How Does the HIPAA Risk Assessment Relate to Telephone Answering Service?

The United States Department Of Health and Human Services (known as the HHS) stipulates that the main goal of a HIPAA risk assessment is for a Business Associate (in this case, a Telephone Answering Service) to conduct an internal review of their company. In this review, the telephone answering service should identify vulnerabilities, threats and risks to PHI that a Telephone Answering Service receives, transmits or maintains.

The HIPAA Risk Assessment (also known as Security Risk Assessment or SRA) is a process that is best conducted in a step-by-step process of each of the areas that have contact with Protected Health Information (PHI).

Typically, a Security Risk Assessment (SRA) is best accomplished using a checklist-based tool or methodology that serves as a guide through assessing the company procedures and policies. This is designed to ensure that health information is protected and there is no risk of it being stolen or shared with the public, whether inadvertently or by malicious intent.


Why is the HIPAA Security Risk Assessment (SRA) Important?

The short answer is:  unlike popular belief, a HIPAA Security Risk Analysis Assessment is not optional.

There are several reasons why the HIPAA SRA rule is important for both businesses in the teleservices industry as well as their clients.

Telephone Answering Services are considered to be a Business Associate to a medical or doctor's office. As such, they are required (as per the HIPAA Security Rule of 2013) to conduct a risk assessment of their own organization.

In June 2016, HHS (US Department of Health and Human Services) issued its first fine solely against a Business Associate – the Catholic Health Care Services of the Archdiocese of Philadelphia agreeing to pay $650,000 following a relatively small possible breach of 450 patient records. The magnitude of the fine was directly related to the non-profit organization having failed to conduct a HIPAA risk assessment. Since June 2016, other Business Associates have been fined by HHS. Many of those fines were the result of failing to conduct a HIPAA risk assessment.

The HIPAA Security Risk Assessment is of the major tool for answering services and call centers — ensuring that they are compliant with HIPAA’s administrative, physical and technical safeguards.

A risk assessment can also help to identify areas where protected health information (PHI) that the TAS processes and stores could be at risk — allowing it to take corrective action.

The bottom line is that a HIPAA SRA is important so that every TAS business can ensure that the company procedures and policies incorporate methodology to mitigate the risk of a breach and/or substantial fines.


                          Resources

HIPAA Risk Assessment Tool 

CLICK HERE
for a Free Risk Review for your Answering Service


HHS. Gov Health Information Policy