Jump to Navigation

Contact Our Firm

Bold labels are required.

Contact Information

The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.


Privacy Policy

HIPAA Security Risks Assessments- Are you ready?

HIPAA Security Risk Assessments

Enforcement of HIPAA by the United States Department of Health and Human Services Office of Civil Rights (“HHS/OCR”) has been rampant in recent years and is at an all-time high. There are many recent high profile breach cases involving 7-figure settlements with Covered Entities and Business Associates. One of the salient and most important lessons to glean from those settlements is the fact the HHS/OCR noted that the Covered Entities never performed adequate security risk assessments (“SRAs”) as part of their HIPAA compliance programs.

SRAs are required by law to be performed by every Covered Entity and Business Associate. Additionally, the completion of a SRA is a core requirement to meet Meaningful Use objectives for hospitals and physicians looking to take advantage of HITECH provisions and Meaningful Use incentive payments and reimbursements.

Unfortunately, most Covered Entities have not performed an adequate SRA and/or documented one, and many have not performed one at all. Failing to perform one and document a SRA places your organization, whether it is a Covered Entity or Business Associate at significantly increased risk of a HIPAA violation and potential fines and penalties. It also places your organization at risk of a possible breach or loss of Protected Health Information (“PHI”) and electronic PHI or ePHI.

Covered Entities and Business Associates should perform a SRA immediately if they have not done so and document their performance of it. An effective SRA includes the following elements:

(1)  Identifying all ePHI that the organization creates, receives, maintains or transmits and the manner in which it does so including gathering data and collecting it.

(2)   Identifying and documenting all potential threats and vulnerabilities to ePHI including hacking, theft, and other malicious actions and software measures.

(3)   Assessing an organization’s current security measures including password and encryption protection for both stored ePHI and email transmission, physical security measures such as alarms and locks on doors, and administrative safeguards such as well written HIPAA security policies and procedures.

(4)   Determining the likelihood of a threat occurrence such as theft or hacking of ePHI and determining the potential impact of any such threat occurrence. Be sure not to overlook potential destruction of ePHI due to natural causes such as a hurricane (after all this is Florida).

(5)   Determining levels of risk and the likelihood of a threat occurrence occurring, as well as developing an action plan in the event that a threat occurrence actually materializes (for instance, having off site back up of all ePHI and a well written breach notification internal investigation and corrective action plan in the event of a breach).

(6)   Finalizing written documentation of the SRA. Many Covered Entities and Business Associates perform SRAs but do not document them either properly or fully. HHS/OCR looks for documentation in every investigation and audit that it conducts. Without appropriate documentation, an organization may not be able to successfully defend a HIPAA complaint, investigation or audit.

(7)   Conducting periodic reviews and updates of a SRA. Don’t just implement one and forget about it!

(8)   Consider obtaining cyber liability and/or HIPAA defense insurance.

There are many tools which Covered Entities and Business Associates can use to perform a SRA. In fact, HHS released a Security Risk Assessment Tool on its website on March 28th of this year. While that Tool is not necessarily intended to be a stand-alone document and assessment, it can be useful in completing an effective SRA. Of note, any organization conducting a SRA may discover issues, breaches or other potential HIPAA or privacy and security issues or violations during a SRA. Therefore, it is advisable and strongly recommended to always retain experienced and competent health care legal counsel to assist in conducting a SRA in order to not only address issues which may arise but also to preserve any applicable work product privileges.

Bottom line – if your organization has not performed a SRA or properly documented one, it should do so immediately in order to reduce its risk profile under HIPAA.

Mr. Lowe and our law firm regularly represent physicians and other licensed health care professionals in the defense of medical malpractice cases, review of their medical malpractice professional liability insurance policies and coverages, and personal counsel matters as well as the review of employment contracts. To contact us regarding such matters please visit our website www.lowehealthlaw.com or call our office 407-332-6353. Michael R. Lowe, Esq. is a board-certified health law attorney and shareholder at Michael R. Lowe, P.A., 800-571-5208.

Recent News

1/24/2013 Practice Area Focus: Medical Malpractice Defense and Personal Counsel The Drawn Out Process of the Medical Lawsuit

Click here to join our email list for articles!
Local: 407-332-6353 · Toll Free: 800-571-5208

Privacy Policy | Law Firm Marketing by FindLaw, a Thomson Reuters business.