With the HIPAA Omnibus Final Rule deadline around the corner, more people are searching for answers to their HIPAA compliance problems. HITECH Risk Assessments, as required by the new rules for both covered entities and business associates, seem to be on everyone’s mind. But what is a risk assessment tool? Is it a spreadsheet, is it a guide, or is it software? What does a Risk Assessment tool need to do, address or assess?
The HIPAA / HITECH Final Breach Notification Rule requires that covered entities and business associates perform an incident specific risk assessment any time an incident involving unauthorized disclosure, use or access to protected health information (PHI) is discovered. This risk assessment, also referred to as the “compromise” standard, must consider specific factors, outlined in the Final Rule, to determine if an incident is a data breach requiring notification to the affected individual(s) and regulatory authorities. A HIPAA / HITECH Risk Assessment tool enables entities to perform an objective and consistent risk assessment to decide if the incident is a breach or not and to identify all their notification obligations given the HIPAA and a myriad of state rules.