By Adam Turteltaub

At this point anyone in healthcare who doesn’t have a plan for managing HIPAA compliance risks is behind the eight ball and times. But, for those who do have a program in place, the question is: does it currently reflect your risk profile?

Nancy Roht (LinkedIn), Managing Principal at Compliance Pro Consulting points out in this podcast that just because the HIPAA regulations don’t specify how often a HIPAA risk assessment should be done it’s best to do so annually, and perhaps even more frequently if something significant happens. Changes in leadership, organizational structure, goals, quality and major vendors can all call for a fundamental reexamination of your strategy.

When conducting the assessment, don’t mistake it for a gap analysis. Make it a true assessment of risk and put together a work plan to address any deficiencies.

When conducting the assessment, she recommends interviewing both leadership and staff to get a comprehensive picture. Take an inventory of the PHI you have, potential threats, vulnerabilities and security measures. Then, assign risk levels, prioritize and document your thinking. Years from now no one will remember what decisions were made and why, without the documentation.

Be sure to look externally at your business associates, particularly those with evergreen agreements. They may have run out of date.

Listen in to learn more about how to make your HIPAA risk assessment stronger.