One of our favorite phrases at HIPAA One is “free like a puppy.” Our President, Steven Marco uses it regularly on webinars to convey the sentiment that nothing is ever truly free and there is always some kind of hidden string attached. This sentiment absolutely applies to some of the “free” HIPAA risk analysis solutions in the marketplace today. Regardless of whether you are seeking a spreadsheet/checklist or paid software tool to complete your risk analysis, this post will review what you need to look for and how to spot a risk analysis phony.
Selecting a vendor or tool to complete your risk analysis is an important task and doing your due diligence is KEY. With a few questions and a bit of research, you can help protect your workplace from massive consequences should a patient complain or security issue arise down the line. Just because a vendor makes the claim that they will help you complete a bona fide HIPAA security risk analysis, does not mean that risk analysis would stand up (or pass) in an industry audit.
Before committing to a vendor, consulting firm or paper shredding company (hey, we’ve heard of it before!), it’s important to ask what’s included, wins/losses and assurances. Below is a list of what you need to be looking for in a risk analysis solution or service:
- Industry-Certified Auditors on Staff – Verify the vendor has:
- Auditors who are certified professionals, such as CHPS, CISSP, HCISPP, CISA, etc. and
- Previous experience responding to AND PASSING government and private-sector audits.
- Compliance Gap-Assessment – This assessment determines if your workplace meets each of the HIPAA requirements as selected the Office for Civil Rights’ (OCR) HIPAA Audit Protocol.
- Mock-Audit – Put your money where your mouth is. If your workplace maintains HIPAA compliance, prove it with proper supporting documents and examples per the OCR’s HIPAA Audit Protocol.
- Risk Analysis –Bona Fide security risk analysis which digs into any non-compliant areas along with a calculation tool that addresses which gaps are low, medium or high risk to the organization using NIST-based methodologies (i.e. at minimum NIST800-30 rev1 and NIST 800-53 rev 4).
- Remediation Plan – This documented plan answers the questions: “Who will do what by when” in regards to remediating gaps in compliance.
- Final Report – Key deliverable proving compliance with HIPAA security risk analysis.
- Ongoing Tracking – Track the resolution of those gaps in compliance by proving due diligence in the event of an audit.
- Periodic Re-evaluation – Each year take a new “snapshot” performing steps 2-6 on any changes that happened from the previous year.
Beware! Free Services – ONC SRA Tool
Through the years we have heard many times how many small to medium size practices have two main struggles as it pertains to HIPAA compliance: lack of knowledge and/or training and lack of financial resources allocated to HIPAA compliance objectives. We understand there may be years where you or another member at your workplace will need to look up some free tools online to complete your HIPAA risk analysis manually. As you can imagine, this solution is not ideal due to the fact that many free services or tools do not include the above list of required documentation, regulatory updates or audit protection assures, however, something is better than nothing.
Unfortunately, we are unable to provide feedback on each free risk analysis checklist or spreadsheet available today, however, we would like to spotlight one of them, the Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool (SRA Tool.) Back at its inception in 2014, the SRA Tool was recognized in the marketplace as being a rather thorough, good solution for healthcare providers seeking a free tool that covered most of the bases. Now, this three year old solution is outdated and quite frankly, a liability to anyone who uses it. For this reason, we cannot endorse the SRA Tool in good faith as it is truly not a production ready solution and is not updated to meet the updated HIPAA Audit Protocol.
Below is an excerpt from the “SRA Tool User Guide” clearly outlining that the tool does not guarantee compliance with the HIPAA Security Rule or issue any guarantees to an organization in the event of an audit:
Whereas we do not recommend using this tool to complete your organization’s yearly HIPAA risk analysis, the tool can be used for training purposes. Healthcare IT professionals wanting to learn more about risk analysis may find the questions beneficial in advancing their knowledge of HIPAA compliance.
If your organization has not completed your 2017 risk analysis, there is still time! To learn more about the simplest, most-automated and trusted software solution in the industry used by over 5,000 sites to protect their ePHI, CLICK HERE.