THINK YOU ARE COMPLIANT? THINK AGAIN! A key first step in being compliant with most security regulations, including HIPAA, is the completion of an organizational Risk Assessment. And the internet is full of companies offering to do this for you online, or selling you an online tool. So what’s wrong with that? Not a thing. At least as long as you realize there’s no such thing as a comprehensive online risk assessment that follows and meets all of the privacy and security regulations and guidance. The erroneous interchangeable use of the terms Risk Management, Risk Assessment, Risk Analysis and Control Audit doesn’t help.
Even our regulatory agencies contribute to the confusion. For example, consider the Security Risk Assessment Tool available at healthit.gov created by the ONC, OCR and OGC. Read the fine print in the disclaimers, such as, “the Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks” and “the information presented may not be applicable or appropriate for all health care providers and organizations.” This tool does not even meet the agencies own definition of what a Risk Analysis must contain. In other words, this isn’t a risk assessment as every situation and organization is different.
A good, high level questionnaire that touches on the administrative, physical and technical safeguards required by regulations such as HIPAA can help you identify gaps and establish a baseline from which to work. Those types of assessments are actually high-level control audits, much like the one we use in MyVCM. They can be a great starting point for the compliance professional who supports you through a true risk assessment and the subsequent risk mitigation activities as you build your compliance program.
I speak to compliance professionals in the healthcare industry every day, who are living your compliance daily challenges right alongside you. While I would be delighted to discover an online risk assessment that assures your compliance with HIPAA, meets ISO standards and follows NIST methodologies, the fact is risk assessments are subjective, situational and specific to the organization’s risk tolerance. That is to say, completing one is definitely not just a click away.