Why Annual HIPAA Risk Assessments Aren’t Frequent Enough

By | January 29, 2014

Why Annual HIPAA Risk Assessments Aren’t Frequent Enough

Data security risk assessments are required in order to meet HIPAA compliance standards for all covered entities as defined by the final Omnibus Rule. While HIPAA regulations mandate an annual risk assessment be conducted, most experts agree that this is not nearly often enough given how quickly the threat environment changes in today’s high tech world. Many would say that these audits should be carried out minimally every quarter if not every month in order to catch all potential vulnerabilities.
Many covered entities have difficulty meeting even the yearly requirement much less more frequently as the economy continues to require a close eye on budgetary restrictions. In order for work flow to be maintained at the required level for the organization, often corners are cut and standards relaxed in order to meet deadlines. This is a concern, as small issues that remain uncorrected often lead to big issues prior to the next scheduled audit. Most covered entities report the main reason for not conducting more frequent audits is the hectic pace of deadlines and lack of financial reserves to conduct the audits.

A different mentality for businesses that have an overly aggressive schedule must be taken to ensure that these audits are part of the natural life cycle of the organization. This allows risk assessments to be conducted throughout the year on a regular basis. These HIPAA assessments should include data collection on new vulnerabilities, correction of vulnerabilities previously identified, and areas where vulnerabilities for found that could not be corrected. A record should be kept of the decisions made regarding risk mitigation and how the remediation process reduced risk to an acceptable level.

When time constraints do limit the number of factors that a business or organization can track, one way to determine the best areas on which to focus attention is to limit the assessment priorities. Areas of primary concern should be based on what the organization considers of greatest importance for risk management. Less crucial areas can be added during subsequent assessments as time and resources allow.
Design the risk assessment process using systems that ensure effective and low demand auditing of patient records and other data. The key to identifying core risk vulnerabilities in a comprehensive manner, is to audit early and often. Using a schedule of set priorities will enable covered entities to set up a regular and frequent evaluation schedule decreasing the likelihood of missing a variety of vulnerabilities that can occur during the course of a year.

The most crucial element for preventing identification of unknown risk factors during a HIPAA audit, is to ensure that risk mitigation can be undertaken throughout the company’s life cycle when making decisions regarding scheduling and allocation of resources. There must be accountability for risk remediation following identification of vulnerabilities. Otherwise, the probability that already identified critical risks are left in place increases. Should it be discovered that there is low compliance with risk remediation recommendations an analysis should be carried out to determine why identified risks are not being addressed within the organization.

While many organizations may be clear on their HIPAA/HITECH regulatory obligations, few may fully comprehend the process for effectively and comprehensively remediating any identified vulnerabilities to reduce overall risk levels. This can increase the time necessary to carry out each assessment making anything more frequent than early audits unmanageable. It is critical to make certain all key personnel involved in HIPAA audits are fully trained regarding risk mitigation and that regular training reviews and updated are conducted.

Ensuring that comprehensive and effective risk assessments can be regularly conducted within the organization will aid covered entities in maintaining HIPAA compliance. Additionally, this will help inform personnel about what might be lacking in the company’s data security plan.