The HIPAA Risk Assessment and PCIHIPAA
By Jeff Broudy CEO
Many practices ask us about the HIPAA Risk Assessment. Is it mandatory? What is it? Are you HIPAA? No, we are not HIPAA. But we do help practices comply with HIPAA. And yes, HIPAA (Health Insurance Portability and Accountability Act) does require every practice that handles protected health information to take a risk assessment. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
You can get more details here: Guidance on Risk Analysis
HIPAA doesn't state how the risk assessment must be administered. That's because a hospital is very different than a dental office or a surgeon. But practices do need written proof of compliance. It makes sense, because you should understand your risks and vulnerabilities.
At PCIHIPAA we decided to help practices with this requirement. We don't work with large hospitals or complex healthcare institutions. We work with dentists, surgeons, pediatricians, general practitioners, chiropractors, osteopathic physicians, and many others that serve our communities across the United States. We find many practices don't have the time and resources to navigate the HIPAA risk assessment requirement, and other HIPAA requirements. However, it's still the law and there are risks for non-compliance and data breaches.
HIPAA requires practices to take Administrative, Technical, and Physical safeguards to protect patient information. There are very specific actions you need to take. PCIHIPAA's risk assessment includes a yes or no questionnaire that addresses many of the safeguards applicable to small to mid – size medical and dental practices. We don't report the results to HIPAA, we only report them to you. You'll receive a 23 – page report and a free consultation.
Our objective is to provide you information about HIPAA requirements and an assessment of your compliance and risk levels. Yes, we do sell a comprehensive compliance program, (www.officesafe.com) but only if you need it. Our approach is very similar to yours. I know you assess your patient's health status before you recommend a treatment plan. PCIHIPAA does the same. We provide a complimentary assessment and review. We then discuss a treatment plan to protect your practice fast, easily, and affordably.
It's what we do every day for thousands of practices nationwide.