If you’re in the healthcare industry, you probably have heard of HIPAA, the Health Insurance Portability And Accountability Act. And if your business falls under any of the classifications that is covered by HIPAA, you might have heard of a HIPAA Assessment. But what exactly is a HIPAA Assessment? Do you need one? What does it cost? And is it actually worth doing? You might be surprised at the answers.
What is a HIPAA Assessment?
HIPAA’s goals are to keep the health information of individuals private and secure. It dictates the rules for storing and transferring information, protecting that information, and what to do in the event the data is breached. As with all other laws, ignorance of the law is no excuse for not complying with the law. That is why HIPAA also requires that any business in contact with Personal Health Information (PHI) conduct a HIPAA Assessment so that the company is made aware of the HIPAA-related risks it faces and can work on reducing those risks.
Do you need a HIPAA assessment?
Any company that handles PHI needs to do a HIPAA Assessment. HIPAA divides these companies into two main groups, Covered Entities and Business Associates. Covered Entities include companies such as:
- Health care providers, such as doctors, hospitals, medical groups, clinics, dentists, eye care, nursing homes, pharmacies.
- Health plans, including insurance companies, HMOs, company health plans, and even government entities dealing with the health of individuals.
- Health Clearinghouses, including companies that receive health information from other covered entities.
It’s very easy to know if you are a Covered Entity. It’s less easy to know if you are considered a Business Associate, which is a company that works with a Covered Entity and has access to the PHI. Covered entities could be bookkeepers, IT companies, claims processing, legal services, aggregation services, or other individuals or companies that have access to PHI in order to help a Covered Entity or another Business Associate to do its work.
If you are either a Covered Entity or Business Associate, you are required to do a HIPAA Assessment annually.
Why Do A HIPAA Assessment?
In a nutshell, HIPAA’s regulations are strict and its penalties are potentially very harsh. Typically, the penalties rise with the number of breached PHI records and the level of negligence involved. In other words, companies with large numbers of breached records -- even into the millions of records -- have had to pay fines in the millions of dollars.
But so have companies who suffered a breach of as little as one single record but were severely negligent or malicious in their handling of that data. Memorial Hermann Health System was fined $2.4 million for disclosing just one record of PHI.
And simply not having a HIPAA Assessment if you are covered by HIPAA is reason enough to be fined. Your state’s Office of Civil Rights (OCR) can demand to see the assessment of any Covered Entity or Business Associate. Similarly, if you suffer a breach, the OCR will start its investigation by asking to see your HIPAA Assessment. In either case, if you don’t have one, you’ll be fined anywhere from $140,000 to $240,000.
Similarly, jail time is part of the regulation, the length and severity of which is based on the underlying cause or motivation for the breach. For example, if you and your company have taken every reasonable security precaution for every probably breach, no jail time may be mandated. But if the breach was the result of negligence on your part, or if you acquired PHI under false pretenses, or if you acquired PHI for monetary gain, your jail may be mandated for between one and ten years!
The destruction of your business, fines into the millions of dollars, and possible jail time: all excellent motivations for conducting a HIPAA Assessment.
Costs are typically between 4% and 7% of the fine you’ll be forced to pay by not having one.
What is in a HIPAA Assessment?
The HIPAA regulations require that a HIPAA assessment make you aware of your situation as they relate to protecting your PHI. Specifically, it should include:
- The locations (logically and physically) where PHI is stored, received, maintained or transmitted.
- Identification and documentation of potential vulnerabilities and threats,.
- An assessment of the security measures currently followed to protect PHI, including a determination of how well the security measures are being followed.
- Assess the likelihood of a reasonably anticipated threat.
- Assess the possible impact of a breach
- Assignment of risk levels for all the potential vulnerabilities
- Documentation of all of the above
- Action on the overt issues discovered above.
Can You Do Your Own HIPAA Assessment?
Could you do your own HIPAA assessment? Technically yes. But it’s not a good idea. The rules for properly conducting the assessment are strict and the levels of rigor and detail are high.
It’s our experience that when companies attempt to run their own assessment, they are often underestimate their vulnerabilities and overestimate their level of readiness to withstand a breach. They also aren’t able to adequately test their own systems, often skipping gaping security holes.
In short, it’s far better to hire an outside, independent and experienced company to run your HIPAA Assessment. Digital Uppercut has conducted HIPAA assessments for small and medium sized companies in a variety of industries. We could certainly conduct a thorough assessment for you.
Still Unsure? Call us.
If you’re still not sure if you need to conduct a HIPAA Assessment, let’s talk. We will have a short chat to help you determine if you are covered by HIPAA and need an assessment. Given the relatively low cost of a HIPAA assessment, if you need one, there is no good reason for not getting one. And there’s no better time than right now. You never know when it will be too late. Call us at 818-913-1335 or contact us online