Your organization has completed its annual HIPAA Security Risk Analysis (SRA) for 2023 – mission accomplished! Or is it?
When assessing the SRA start with reviewing all risks and the level of impact the risk will have on the organization. In other words, will a particular risk have a low, medium or high impact should this risk materialize? And what is the probability the risk will become reality?
Here are some examples:
- The organization has a designated Security Officer; however, their role and responsibilities are not clearly defined and staff are unaware of this person’s position.
- During offboarding of a staff member no checklist has been created to ensure the terminated employee has been disabled in all operating systems and applications containing ePHI; keys, fobs, and/or badges have been turned in; alarm code has been disabled or reset; and remote access into the organization’s network has been removed.
- Servers in the organization are end-of-life and no longer supported by the manufacturer.
Do not complete the annual SRA and put the report on a shelf or in a folder on your network and do nothing! Put together a to-do list right away placing high priority risks at the top of the list along with a completion date. Use the report to improve the organization’s security and compliance.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.