Why Self Assessments Are NOT A Good Enough

HIPAA risk assessment is not like comparing a generic drug with its more expensive name-brand counterpart. The HIPAA law is the same whether you are a one-person shop or a mega hospital.

by       << Back to Blog    

Join the Conversation on Facebook!

Click to enlarge

A person calls your office looking for a <<enter your specialty here>> and based on the symptoms he describes, you, as a subject-matter expert in your specialty and as the professional, tell him that he first needs to come to the office so you can make a proper assessment, run some tests and perform a diagnosis. The person then says, "can't you just tell me over the phone and how much it's going to cost me?" To this you respond, sorry but prescription without diagnosis is malpractice. The person, after self-diagnosing himself then realizes he doesn't have insurance coverage and tells you... sorry doc, I'm not really dying or that sick... "that's too much for what I need." 

How does the person really know exactly what he needs if he's not a subject-matter expert in what he needs help with? Isn't that why he's reaching out to a professional in the first place?  Is the decision based on money or healthcare?

I encounter this scenario often when people reach out to me for a HIPAA risk assessment...

HIPAA risk assessment is not like comparing a generic drug with its more expensive name-brand counterpart. The HIPAA law is the same whether you are a one-person shop or a mega hospital. Since HIPAA does not provide implementation details, what can vary between different covered entities or business associates is the implementation taken to remain compliant based on their specific practice. For example, a hospital may use a $50,000 piece of hardware or solution to address a specific HIPAA risk on their site, where a one-person private practice may need a less expensive solution to address the same risk. But the same risks still needs to be addressed and mitigated regardless of practice size.   The cost of a comprehensive HIPAA security risk assessment is based on # of devices,  locations, systems used, staff, reports, and a number of other time consuming tasks and tools used to perform the assessment.  It's not just a spreadsheet template to fill in the blanks. 

With all due respect to all the hard working providers out there that haven't taken care of this required annual assessment, it only takes ONE breach or HHS audit to severely damage your practice and likely put you out of business and damage your reputation. Not having time for it,  not having the money or thinking you are too small to worry about this is the equivalent of ignoring a serious medical condition that runs in your family. It's like playing Russian roulette.  You can go on for years taking your chances of not getting a proper and comprehensive HIPAA risk assessment done, but eventually your luck will run out. Plus, HIPAA is just a baseline for compliance. You actually should strive to go above and beyond HIPAA which is a federally mandated law. State and local laws also apply.

If you are serious about your business (and I'm sure you are), take HIPAA compliance seriously and do not make the same bad 'business' decision, as reported in many HHS HIPAA Violation press releases, of "not having done a proper risk analysis."  

Doing self-assessments is like forgoing an annual mammogram because you think self-examination is sufficient; or not having a colonoscopy done at a certain age because you don't think you need one, or ignoring an unusual skin pale or yellow area of skin growth that doesn't go away.  Leave the HIPAA risk assessments to the experts.

It's easy to forget with all this HIPAA stuff that ultimately, you are stewards of your patients' information. It's not just about having the patients sign a HIPAA privacy intake form that has been photocopied a million times over and nobody reads.  It is your responsibility to your patients (and customers) to make sure their information is actually kept secure and private.

Here is a basic compliance checklist that has helped other healthcare professionals better understand the responsibilities that are associated with HIPAA.  You can download the PDF here >>.

About Fernando Sosa
Fernando Sosa is an entrepreneur, marketer, technology consultant, project management professional, and software developer who helps businesses and organizations make the most of their information technology resources and increase revenue.