What is a HIPAA Risk Assessment?

Prior to 2013 it was a requirement that Covered Entities (i.e. doctors, hospitals, etc) conduct a Risk Assessment.  

Then in 2013, the Final Omnibus Rule updated the HIPAA Security Rule and extended portions of the HIPAA Privacy rule and the Security Rule making the requirement of doing HIPAA risk assessments directly applicable to Business Associates.   At the same time it increased the amount a Business Associate could be fined for non-compliance with HIPAA regulations.

So what is a HIPAA Risk Assessment as it relates to a Telephone Answering Service?

Succinctly, H.H.S. (US Dept of Health and Human Services)  stipulates that the goal of a HIPAA risk assessment is for a Business Associate (in this case a Telephone Answering Service) to proactively conduct an internal review of their company and to identify potential vulnerabilities, threats and risks to the PHI that a Telephone Answering Service receives, transmits or maintains.         

Typically a Security Risk Assessment is best accomplished using a checklist-based tool...

Broadly the HIPAA Risk Assessment (aka a Security Risk Assessment SRA) is a process. Best done in a step by step review of each of the areas of your company that touches the PHI you handle on behalf of your clients. Typically a Security Risk Assessment is best accomplished using a checklist based tool or methodology to guide you through assessing your companies’ procedures and policies to ensure health information is protected and not at risk of being stolen, or, shared with the public, whether inadvertently or by malicious intent.

By the way, unlike popular belief, a HIPAA Security Risk Analysis Assessment is not optional.

Why is a HIPAA Security Risk Assessment (SRA) important?

The short answer is:  unlike popular belief, a HIPAA Security Risk Analysis Assessment is not optional.

Telephone Answering Services are considered to be a Business Associate to a medical or doctor's office.   Business Associates are required by the HIPAA Security Rule of 2013 to conduct a risk assessment of their own organization.    

In June 2016, HHS (US Dept of Health and Human Services) issued its first fine solely against a Business Associate – the Catholic Health Care Services of the Archdiocese of Philadelphia agreeing to pay $650,000 following a relatively small possible breach of 450 patient records. The magnitude of the fine was directly related to the non-profit organization having failed to conduct a HIPAA risk assessment since 2013.  Since June 2016 other Business Associates have been fined by HHS, many of those fines were the result of failing to conduct a HIPAA risk assessment.

Business Associates are required by the HIPAA Security Rule of 2013 to conduct a risk assessment of their own organization...
A risk assessment helps your company ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where the protected health information (PHI) your TAS processes and stores could be at risk -
allowing you to take corrective action. 

The bottom line is that a SRA is important so that you can ensure your company procedures and policies incorporate methodology to mitigate the risk of a breach and/or substantial fines.


HIPAA Risk Assessment Tool 

Free HIPAA Forms, Downloads & Resources                                               

HIPAA Survival Guide                                                                                 

HHS. Gov Health Information Policy