While an annual security risk analysis is considered foundational for HIPAA compliance, a majority of respondents to a casual survey admit failing to prioritize this critical task.
A recent poll of webinar attendees found that barely one-third may be fully HIPAA compliant, based on responses to a single question: “Have you completed your HIPAA Risk Analysis for this year?”
Conducting an annual security risk analysis is one of the foundational requirements of HIPAA compliance. Still, only about 34 percent of participants in the poll conducted by Compliancy Group said they’d completed their HIPAA risk assessment for this year — nearly halfway through 2022.
Liam Degnan, director of strategic initiatives for Compliancy Group, said he does not find the numbers surprising.
“Look at the statistics of HIPAA violations and fines. You can trace an overwhelming majority of them directly to the failure to conduct or complete a security risk analysis,” Degnan said. “When properly done, this analysis provides a snapshot of an organization’s current state of compliance so that gaps can be identified and remediated. The government demands that it be done every year because it serves as a measuring stick of what is being done. It is an essential part of building the case that an organization is making a good faith effort to comply with the HIPAA laws.”
The results from this survey are echoed by Ryan Smith, director of sales and customer success for Rigid Bits, a managed security service provider and cybersecurity firm.
“I talk to so many people who swear they’re HIPAA compliant, but 99 percent of them are not,” Smith said.
Considering ongoing threats from organized cybercriminals in Russia, China and North Korea, achieving HIPAA compliance is considered a minimum step for healthcare providers or vendors to secure a patient’s protected health information.
According to the Department of Health and Human Services (HHS), breach reporting portal (a.k.a. The Wall of Shame) breaches have exposed at least 10.6 million patient records through the first five months of 2022. This total includes incidents involving breaches affecting 500 or more records per incident.
The regulations and expectations are the same for every healthcare provider, insurance company or vendor serving them who creates or possesses protected health information. The one-doctor practice in rural America and a regional medical system serving a metropolitan area must meet the same standard. The way each achieves that standard can and does vary wildly.
“There are two key points that you must understand if you have to be HIPAA compliant. First, it’s a journey, not a destination. You must continue to conduct risk assessments, train employees and update policies and procedures to reflect what you are doing to meet the seven fundamental compliance elements,” said Marc Haskelson, chief executive officer of Compliancy Group.
“Second, one size fits all doesn’t truly fit anyone. The law requires you to tailor your compliance strategy to your organization’s operation. Two practices with the same number of patients, in the same city, offering the same services may not run their practices in the same manner,” Haskelson said.
A total of 146 respondents participated anonymously in the survey, which was conducted on May 20 during Compliancy Group’s “6 Secret Ingredients to HIPAA Compliance” webinar.
This non-sponsored article was prepared with material provided by Compliancy Group.
Since 2005, Compliancy Group has been committed to simplifying and verifying the HIPAA Compliance process for small and mid-sized Covered Entities and Business Associates. The company’s web-based software solution “The Guard” coupled with live guided coaching allows clients to automate 86% of the administrative tasks associated with HIPAA compliance.