Why We Love Risk Assessments (And Why You Should, Too…)

HHS.gov enforcement details for 2017

We talk about Risk Assessments often around here, like, for example, here, and here, and 2 additional articles for members  here and here. Although the constant reminder to prepare for the worst can be exhausting, we think risk assessments are emphasized for good reason.  Out of about $19.3 million worth of fines for HIPAA violations in 2017, $8.3 million worth of those fines were partially related to a failure to implement a risk assessment or insufficient risk analysis.

Your risk assessment, while comprehensive and detailed, is also practical. A preventative measure can be as simple as ensuring that your client is informed of the risk of sending personal information to you in an email that is not encrypted.  By making a good faith effort to address all risks and prioritizing those that are high likelihood or high risk, you are not only saving yourself from dealing with a possible costly headache, but also operating your business in your clients’ best interest.

If you look at the picture above (or click through to that page) you can see a list of HIPAA ‘resolution agreements’ for 201 (ie, the companies who had major breaches, their resolution and consequence.)  If you look over the HIPAA issues above, are there any that you recognize as possible issues in your own practice? (For example, do you have written business associate agreements with all of your third party vendors? (If you need more help with BAA’s, look here. Do you have preventative measures in place to minimize the risk of a laptop or any other devices from being stolen?  If you are aiming to get your ducks in a row in 2018, looking over this page may give you a good place to start. This is a good way to refresh your Risk Assessment… seeing what risks created BIG problems for other providers recently.  Another great resource for this is the Teach Privacy newsletter–they recently sent a great summary of major HIPAA enforcement in 2017–check it out here if you’d like another source for double-checking your risk assessment.

What procedures have you updated in 2018? How often do you review your risk assessment?