How To Do A HIPAA Risk Assessment – Part 3

The Office of Civil Rights (OCR) is performing more and more HIPAA audits. How can you avoid getting hit with severe penalties from the government? The best way is to perform a complete HIPAA Risk Assessment, and to follow through with training and implementation.

Find out how to get compliant, and stay compliant in this multi-part series.  (To get this multi-part series delivered to your inbox CLICK HERE)

Once you have a complete inventory of all hardware used to access, store or transmit protected health information (PHI), you can create the necessary policies and procedures for your practice.

The HIPAA Security Rule requires practices to adopt and implement reasonable and appropriate policies and procedures.

The OCR will inspect your practice’s policies and procedures during an audit. This means that your policies and procedures had better be complete and up to date to avoid severe penalties.

Policies and procedures are also important because they help to avoid breaches, by ensuring that proper security methods are in place. They also are essential in the face of a breach, because they instruct your staff on how to respond.

What types of policies and procedures are required by HIPAA?

Your practice must develop a full set of policies and procedures. Some necessary policies include:

  1. Policies on training,
  2. Policies on sanctions for violations,
  3. Policies on access of ePHI and PHI,
  4. Policies regarding breaches and disaster management,
  5. Policies on backups and encryption, and
  6. Policies on social media.

Your policies and procedures should also include required forms and agreements, such as your staff Confidentiality Agreement, and your Business Associate Agreement.

HIPAA requires these policies and procedures be reviewed periodically and updated in response to any changes that may affect the security of electronic protected health information (ePHI).

Practices must keep their written policies and procedures for six years after the date of their creation, or their last effective date. Whichever date is later governs.

In our next blog post, we will continue this series on HIPAA Risk Assessments.  To get this important series delivered directly to your mail box, 

Do you need help with your HIPAA Risk Assessment?  We can help. To contact us about your risk assessment or your other legal needs:  CLICK HERE.

Related Posts


Recent Posts

Legal Documents for Your Graduating Senior
January 26, 2023
Can I Terminate My Physician Employment Agreement?
January 24, 2023
Do You Worry About Your Parents’ Health?
January 19, 2023
How Do I Escape My Non-Compete Clause?
January 17, 2023
Reasons Not to Have an Estate Plan
January 12, 2023


Enter your email to subscribe now and receive your FREE HIPAA Risk Assessment book!

An essential tool for all healthcare providers, Easy Guide to HIPAA Risk Assessments breaks down the requirements of HIPAA so you can successfully complete your required risk assessment.


Get it now for FREE (an $8.99 value!)

One more step! Please check your email to confirm your subscription and receive your FREE book!