The Health Insurance Portability and Accountability Act (HIPAA) section that deals with Security, §164.308(a)(1)(ii)(A), requires that Covered Entities and Business Associates conduct a Security Risk Assessment as needed. The problem between the regulation and the implementation is that the interpretation of the same depends on the reader. Also, there are other mandates and official requirements which may divert or define the as needed requirement to indicate that the “as needed” terminology is not as wide as some may wish. Our professional experience is that HITECH auditors are asking for an annual Security Risk Assessment and that the failure to provide such document is interpreted as failure to meet meaningful use. Also, in a couple of cases we have seen that Covered Entities have been fined a significant amount of money for the lack of a Security Risk Assessment. Last but not least, in all cases we have seen that one of the remediation actions have been the annual completion of a Security Risk Assessment. Another trend we have noticed regards Security Risk Assessment that do not meet the requirements of the law. We actually have seen several Risk Assessments conducted by IT companies, lawyers, healthcare consultants and staff members of the organization. Regretfully, these Risk Assessments do not cover all the required topics, use the proper language or actually meet the function they were intended for. Please do not insult or underestimate the auditors. I can attest that their level of expertise is increasing from one year to the next and that they can see thru a template or attempts to cover up non-compliance actions. Also, submitting false information may be interpreted as fraud which may add to the penalties and fines you will have to pay. Therefore we recommend the following:
Consider the HIPAA Security Risk Assessment a cost of business and make sure to follow the latest guidance to avoid problems.