Requirements For HIPAA Privacy Risk Assessment
Due to the requirement to conduct risk assessments being introduced in the HIPAA Security Rule, many Covered Entities and Business Associates overlook the necessity to conduct a HIPAA privacy risk assessment. Due to the HIPAA Journal, HIPAA privacy risk assessment is equally as important as a security risk assessment, but can be a much larger undertaking depending on the size of the organization and the nature of its business.
In order to complete a HIPAA privacy risk assessment, an organization should appoint a Privacy Officer, whose first task it is to identify organizational workflows and get a “big picture” view of how the requirements of HIPAA Privacy Rule impact the organization´s operations. Thereafter the Privacy Officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur.
The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy risk assessment and should be reviewed as suggested by the HHS (above) as new work practices are implemented or new technology is introduced.
As required by 45 CFR § 164.530, it is essential employees are trained on any policies and procedures developed as a result of a HIPAA privacy risk assessment and when material changes to policies and procedures impact employees´ functions. Although Covered Entities and Business Associates often comply with this requirement “to tick the box”, better trained staff make fewer HIPAA errors, so training on HIPAA policies and procedures should be embraced as a risk mitigation strategy.
To learn more about HIPAA EDI and become a CEDIAP® (Certified EDI Academy Professional), please visit our course schedule page.