Call us today: 718-934-6714 EX 1202 3047 Avenue U, Brooklyn New York 11229

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. 

For more information click here

On January 25, 2013, the HIPAA Omnibus Rule was published in the Federal Register to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach Notification and Enforcement Rules. The Omnibus Rule also created changes for the Genetic Information Nondiscrimination Act (GINA). It must be said that there was not much new in Omnibus Rule, in general the document combined, specifies and provides detailed description of previously available texts. The document consists of over 500 pages, but we’ll provide you with brief overview. Summary of the document by HHS: 

'This omnibus final rule is comprised of the following four final rules:

  1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications:
    1. Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
    2. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
    3. Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
    4. Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
    5. Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
    6. Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
  2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
  3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's 'harm' threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
  4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.' 

Break the fatal sequence! 

Of course, after conducting assessment providers must implement appropriate procedures or develop policies. Understanding of the rules and finding the solution could be a tough task, so ONC, HHS and other organizations developed some tools and created some guides to simplify this. One of your assistants is SRA Tool. 

Security Risk Assessment Tool (SRA Tool) 

The SRA Tool is an independent application that can be run on Windows desktop and laptop and Apple iOS for iPad only. This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment. The tool will take you through several questions, where you have to answer “yes” or “no”. There are 156 questions in total. The tool will also show you explanations or recommendations. 

The tool serves as your local repository for the information and does not send your data anywhere else.

The detailed user guide is available here

There are other guides and useful templates that can help you to be in compliance with HIPPAA requirements and better understand the rules. Visit the page to read more.

Examples of administrative, physical and technical safeguards questions from Risk Assessment. 

Administrative Safeguards: 

  • Do you keep an updated inventory of hardware and software owned by the practice?
  • Do you or your workforce take home portable computers or other devices containing ePHI?
  • Have you established procedures for creating, changing, and safeguarding passwords? 

Physical Safeguards: 

  • Do you know who needs access to the facility in the event of a disaster?
  • Do you validate a person’s authority to access software programs for testing and revision?
  • Have you documented how workstations are to be used in the physician practice? 

Technical Safeguards: 

  • Do your computers automatically log off after a specific period of inactivity?
  • Is the e-mail sent over an open network such as AOL, Yahoo!, EarthLink, or Comcast?
  • Does your system require users to identify themselves using a password and user name?

For sure, you could have some questions in your mind regarding the HIPAA rules, which you never got a direct answer. For example:

Question: May physician's offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?


Answer: Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).

There is a big F.A.Q. on web – check it, it is possible that your question was made and the answer was given.

August 2018