The Office of Civil Rights (OCR) has issued guidance on the HIPAA Security Rule (45 CFR 164.302 – 318) which defines appropriate administrative, physical, and technical safeguards that organizations under the purview of HIPAA must take to secure Protected Health Information (PHI).

Within the Security Rule, specifically 164.308(a)(1)(ii)(A), these organizations must conduct a risk assessment: “RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

While that’s all well and good, there is no prescribed method for conducting a risk assessment. Comments from the OCR, coupled with their renewed vigor to audit and impose penalties on organizations failing to demonstrate due diligence and compliance under HIPAA/HITECH suggest, that one does not need to read tea leaves to identify what needs to be done.

To that end, D5 maintains the experience and knowledge necessary to complete a bona fide risk assessment. While we are not lawyers and cannot attest to any organization being “HIPAA compliant”, we can provide your organization with HIPAA Risk Assessment services that can not only withstand the scrutiny of an OCR audit but also help technical staff and business leadership alike understand how the prudent adaptation of security controls can protect PHI in a cost-effective way. Similarly, throughout the analysis, we provide your organization with a framework to address these controls in a manner that facilitates a demonstrable and continuous risk analysis and management process.

Whether your organization is a direct healthcare provider, a Covered Entity (CE), or one that is subject to a Business Associate Agreement (BAA), thereby requiring it to attest and demonstrate how it protects PHI, D5 provides your organization with the guidance and experience necessary to continue to thrive while upholding its requirements to safeguard protected and confidential information.