5 Common Risk Analysis Pitfalls to Avoid

You already know the importance of Risk Analysis for your organization: It’s a HIPAA and Meaningful Use necessity, and a smart way to protect valuable PHI from getting into the wrong hands. You already know that hackers are a daily threat, and the ramifications of not preparing for their evil genius can span from harsh fines to a permanently damaged reputation.

You get it, you’re smart, you’re on it. Now, it’s just a matter of avoiding common pitfalls.

Avoid These Common Risk Analysis Mistakes

When conducting your risk analysis, or hiring a third-party to do it for your organization, these are the common pitfalls your organization needs to avoid.

1. Checklists: A person or a covered entity using nothing but a checklist to run a risk analysis may run into some trouble. Many risk analysis experts use checklists in their practices, but on their own, checklists cannot sufficiently identify risks to the degree that regulations require. Most checklists are regulation and policy-focused. Asking you to confirm the presence of a policy required by a regulation is useful for determining compliance risk. However, a checklist will not tell you whether an exploit exists on a particular machine that could jeopardize the security of ePHI.
2. Overly Narrow View: Effective Risk Analysis should have a broad view. An overly narrow focus on EHR systems might force you to overlook where many other ePHI’s reside. Other electronic devices should not be overlooked.
3. Inventory: Any risk analysis method that does not include an IT asset inventory is likely flawed and insufficient. Covered entities need to identify and know the risks of the assets they use to store and transmit ePHI.
4. Policy: A security risk analysis burdens organizations with knowing the risks and threats to ePHI, not just checking off regulatory requirements and policies. A covered entity must have a risk analysis policies and procedures in place that will properly identify risks and threats to ePHI.
5. Overlooking Simple Fixes: The goal of conducting a risk analysis is to identify areas that can be improved, to fix problem areas before they can become serious or beyond repair. When problem areas are identified, it’s common to try and tackle the large issues first, putting smaller issues on the backburner. However, it can be equally as important to quickly fix the smaller problems first. For example, HIPAA awareness training is often overlooked.

Remember, Risk Analysis is just a part of your total HIPAA compliance. CMS will begin conducting random HIPAA audits in 2016. The audits will be directed at organizations of all sizes (along with their business associates).

If your organization receives an audit notification, you will be given ten days to upload supporting documents to demonstrate that your compliance program is consistent with the new HIPAA protocol.

We want to help organizations like yours to be prepared to face these incoming audits with confidence, so we've created a free, online tool you can use to validate whether your organization is compliant. 

To valiate whether your organization is compliant, take our free HIPAA Audit Readiness Assessment today by clicking the button below: