By Jack Anderson
October 13, 2015
As further affirmation of the critical importance of a documented HIPAA risk assessment, the HIPAA HITECH Final Rule expands the scope ot the risk assessment to include administrative and technical safeguards. This emphasizes the importance of using the NIST protocol for the risk assessment. It is the only standard recognized by HHS and is the standard for the federal government.
This all sounds complex and expensive but there are tools to help, including a Security Risk Assessment Tool developed by ONC and OCR. However I tried to use this tool and gave up at question 34 of over 100 questions and I can’t imagine a small healthcare organization being able to use the tool. The good news is that there are inexpensive, automated solutions that solve the problem.
The problem with a one size fits all approach like the Security Risk Assessment Tool is that many of these safeguards don’t apply to a small practice or business associate. HHS has stated that an organization need be compliant only with those rules that are “reasonable and appropriate” to their organization. In analyzing over 1,000 risk assessments we found that as many as 40 of the 104 security rules don’t apply to organizations with less than 20 employees operating out of a single location with a single computer network. By inactivating these before they start on the risk assessment we can give them a tremendous headstart or as we call it a Jumpstart. Look for our new program offering a free HIPAA risk assessment next week at www.compliancehelper.com