HHS announces new risk assessment tool for HIPAA security compliance

more+
less-

Recently, the Department of Health and Human Services released an interactive security risk assessment tool intended to assist employers who sponsor self-insured group health plans in complying with their HIPAA security rule obligations. As background, HIPAA requires self-insured group health plans and their business associates to protect the confidentiality, integrity and availability of their electronic protected health information (ePHI). Most importantly in this regard, the law requires that these plans conduct a thorough and accurate assessment of the potential risks and vulnerabilities of their electronic ePHI. The requirement for a group health plan to conduct a security risk assessment has been in place since the HIPAA Security Rule was promulgated in 2003; however, very few group health plans have conducted security risk assessments for a number of reasons. In a recent HHS audit of covered entities, 20 of 35 health plans and 47 of 59 health care providers had not conducted a complete or accurate security risk assessment.

HIPAA security assessment toolWith HHS audit activity increasing and the potential for significant enforcement penalties, it is more important than ever for employers to make sure they have HIPAA privacy and security compliance covered. For example, last year the HHS announced a $1.2 million settlement with the Affinity Health Plan in connection with a HIPAA breach resulting from returning a leased copy machine without “wiping” the hard drive containing ePHI of over 340,000 health plan members.

The new HHS risk assessment software and toolkit can be accessed at http://www.healthit.gov/security-risk-assessment, and includes a user guide and tutorial video.

Security risk assessments are a key component of a covered entity’s or business associate’s HIPAA compliance program, which should include the following elements required by the regulations: HIPAA privacy and security policies, breach investigation procedures and notification policies, initial and refresher training for workforce members, and updated business associate and subcontractor business associate agreements with third parties and vendors.

HIPAA privacy and security rules also apply to health care providers and their business associates.

Topics:  Compliance, Data Protection, HHS, HIPAA, Risk Assessment

Published In: Health Updates, Labor & Employment Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McAfee & Taft | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »