What have you done for me lately? Now that the tune is stuck in your head, specifically, have you recently conducted a thorough and up to date risk assessment in accordance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)? HIPAA requires health care providers of all types and sizes to conduct a security risk assessment analyzing the potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information. The risk assessment is designed to help the provider ensure it has implemented appropriate administrative, physical, and technical safeguards and to help reveal areas where a provider’s PHI could be at risk. The form and format of the risk assessment is not specified by HIPAA. The assessment can be conducted either internally or externally by a contracted third-party. Nonetheless, the assessment must review the potential risks to the PHI, be up to date and cover all of the systems impacting electronic PHI, and be documented.

Originally Published Birmingham Medical News - August 2019.