By Jack Anderson
July 30, 2015
A HIPAA risk assessment would tell you which rules didn’t apply to you but if you are a small organization there may be a shortcut. In the course of doing hundreds of risk assessments for all sizes and types of organizations ACR2 Solutions has been able to identify over 40 security rules that frequently are not reasonable and appropriate for a small organization. By reviewing and accepting these before starting the risk assessment you will save a tremendous amount of time and reduce frustration.
For example, in the NIST protocol for a HIPAA risk assessment Security Control PS-5 relates to Personnel Transfer. If the organization only has one location then there is no need for a transfer policy or procedure. So in the Worksheet you would indicate that is was Not Applicable due to Size. Other reasons for things being Not Applicable could be Cost, Complexity, Alternate Solution, or Not NA for this site.
By working through this worksheet the organization has not only saved time but they have accelerated their progress toward achieving initial HIPAA compliance. After reviewing these 41 items, doing a risk assessment and scheduling training and awareness the organization can claim HIPAA compliance. By continuing to review and update policies and procedures, training staff, doing periodic risk assessments and documenting these activities the organization can enter a safe harbor that assures that they will pass any audits. The Cycle of Compliance assures that you are HIPAA compliant.
As proof, both Compliance Helper, their sister organiation, Accreditation Helper, and ACR2 Solutions have had a 100% success rate with audits of their clients.
Assure HIPAA compliance with HIPAAssure.