The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996.  However compliance due dates varied based on the particular topic.  For example, compliance date for the Privacy Standard was April 14, 2003 while the compliance date for the Security Standards was April 21, 2005. This difference in dates alone represent a potential for misunderstanding as HIPAA Privacy required a gap analysis from all applicable parties while HIPAA Security required a Risk Assessment.  Furthermore, HIPAA Privacy requirements were a little “looser” in terms of the details while HIPA Security was quite more specific.  For example, the HIPAA Security Risk Assessment was identified under § 164.308(a)(1)(ii)(A) as a required action. As the time passed the requirement of a Security Risk Assessment continued to be enforced and is not uncommon to hear about it when discussing the HITECH Act, Meaningful Use, Omnibus Rule and even the dreaded HIPAA audits.  As a matter of fact, auditors used to show some leniency when looking at Security Risk Analysis but it is our experience that every year they become a little more demanding in terms of what constitutes a valid Security Risk Assessment.  Also, while the law is somewhat vague regarding the frequency of the Security Risk Analysis it is evident that auditors want to see that at least an annual assessment has been completed. Therefore, our basic recommendations are as follows:

1. Conduct a Risk Assessment on a yearly basis.
2. If you don’t know how to do it hire an expert.
3. If hiring someone to conduct a risk assessment for you ask: have any of your risk assessments been presented during an audit? If so, what was the outcome?
4. Make sure your risk assessment has the date and year it was completed.
5. Complete a Security Management Plan after the audit.
6. Implement actions of your Security Management Plan.

As always, in case of questions, simply contact us.