Believe it or not, there are even risks inherent in conducting a HIPAA security risk assessment. The first risk is in defaulting to a “do-it-yourself” process. Clearly many organizations are capable of doing this work themselves. But many others are not. So before making the decision to stay in-house or to find a competent outside vendor, ask yourself these questions:
- Do we have sufficient expertise, particularly in IT security, to identify threats, external and internal vulnerabilities, and other risks to protected health information?
- Can we accurately assess the consequences, impact, and harm to the organization that may occur given the potential for PHI data breach or other IT system compromise?
- Do we have sufficient internal resources available for the project? What is the impact of using these resources to conduct a HIPAA risk analysis as it relates to their normal functional roles or other projects they may be working on?
- Can the internal team assigned work cooperatively and cross-functionally? A HIPAA risk analysis must be holistic – it not only includes IT but also HR, HIM, physical security, and other departments.
- Can your internal team be objective, unbiased, and not influenced by the normal organizational hierarchy?
So let’s say you decide that it is better to contract with an outside vendor. There are risks there as well. The biggest one is that the vendor may not actually be an IT security expert. Many compliance-oriented consultants hang a shingle offering a HIPAA Security Risk Analysis that should really be called a HIPAA compliance checklist. No wonder during the HHS’ OCR initial audit program in 2012, 58 of 59 providers had findings or observations in the area of security. OCR also found that many of them weren’t aware of their requirements yet had done a HIPAA risk analysis!
The next round of HIPAA audits begins this Fall and is expected to include nearly 400 organizations. While these have been designated as “desk audits” by OCR, don’t let that fool you into thinking you will get off easier. In fact, there will be much less interaction and fewer opportunities to clarify, explain, or otherwise plead your case.
Here at Redspin, we always say your biggest risk is not failing a HIPAA audit. The biggest risk is that you don’t have sufficient security controls in place to prevent a large scale breach of protected health information (PHI). The consequences of such a data breach can run into the millions of dollars in notification costs, fines, remediation, reparations, and legal fees. Not to mention the harm to your organization’s reputation.
In conclusion, the risk of a HIPAA risk analysis is in not selecting the right team for the job.