What's Required For An Annual HIPAA Assessment?


The average cost of a stolen record sells on the dark web for $148, according to Ponemon’s 2018 Cost Of A Data Breach Study.

Compare that to records snatched from the healthcare industry, which fetch higher than any other sector at $408 per record.

However, penalties for violating HIPAA reach into the hundreds of thousands and even the millions, dwarfing these numbers.

Ensure your organization is compliant by completing your annual HIPAA assessment.


Complete A Risk Assessment

HIPAA requires covered entities—healthcare providers and insurers, as well as business associates—to conduct a risk assessment.

“A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards,” says HealthIT.gov. “A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.”

Many covered entities initiate an annual assessment but rarely finish because of its intensive nature.

These entities may consider working with a healthcare IT support partner in order to complete the assessment.

Alternatively, the HHS has provided a wealth of security rule guidance material to assist in HIPAA compliance.


Generate A Risk Management Plan

After completing the risk assessment, covered entities can begin to plan for risk management.

The risk management plan should the include “the implementation of security measures to:

  1. Reduce risk to reasonable and appropriate levels to, among other things, ensure the confidentiality, availability, and integrity of electronic protected health information (EPHI).
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI.
  3. Protect against any reasonably anticipated uses or disclosures of EPHI that are not permitted or required under the HIPAA Privacy Rule.


In other words, the plan should include a list of known vulnerabilities, which can be updated as those vulnerabilities are mitigated.


Verify BAAs Are In Place

A BAA is a business associate agreement.

The HHS describes a business associate as any person or entity outside the workforce of a covered entity, including subcontractors, who can access protected health information.

The agreement helps the business associate understand how to safeguard, use, and disclose PHI.


Draft Robust IT Policies

The final requirement for an annual HIPAA assessment is drafting and updating policies for cybersecurity.

These policies are grouped by the HHS into four domains:

  1. Administrative safeguards - Standard examples include workforce security, security awareness and training, and data backup and disaster recovery plans.
  2. Physical safeguards - Standards in this area focus on who has access to facilities, workstations, and devices.
  3. Technical safeguards - Examples include unique user identification, automatic logoff, and encryption.
  4. Procedures and documentation - HIPAA requires covered entities to maintain these plans for six years.


Of course, these policies are only as good as the people that enforce them.

A 2018 MediaPro report found that 78 percent of healthcare workers lacked the skills to handle common privacy and security threats.

HIPAA assessments require considerable effort.

If you follow these four steps, though, you’ll be well on your way to compliance.

New Call-to-action

Read On