Organizations that are subject to the data security requirements from the Health Insurance Portability and Accountability Act (HIPAA) Security Rule must adopt administrative, physical, and technical safeguards for protecting electronic protected health information (ePHI). To comply with the HIPAA Security Rule ongoing, organizations must conduct periodic security risk assessments to test the effectiveness of their existing safeguards and controls.
While there is no requirement to use an external, third-party organization to conduct your HIPAA security assessments, there are several reasons your organization may want to consider outsourcing this task.
-
Achieving and Maintaining Compliance
Compliance with HIPAA is mandatory for all covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. An external assessment can ensure your organization is meeting all necessary requirements, and can reduce the risk of penalties and/or legal consequences for non-compliance.
-
Reducing Risk
A HIPAA assessment can identify potential vulnerabilities or gaps in the organization’s security program. Independent, Information Security experts can provide an objective perspective, as they are not involved in the organization’s internal practices and protocols. They also have the benefit of assessing dozens of other similar organizations and know the common (and not so common) mistakes and gaps to look for, and are up to date on the evolving landscape of threats, as well as regulatory updates specific to HIPAA. Once potential risks are identified, the organization can then use the provided assessment report along with recommendations to more effectively prioritize and mitigate any findings.
-
Ongoing Improvements
Regular assessments will help the organization to continuously identify areas of improvements and enhance security measures. As risks continue to evolve, an assessment also ensures you are addressing new and emerging threats and preventing unauthorized access to ePHI.
-
Third-Party Validation
A compliance assessment conducted by an external party provides an unbiased evaluation of the organization’s security program and adds credibility to an organization’s claim of compliance. Confidentiality and privacy of patient information is crucial in the healthcare world, and an external assessment showcases a commitment to proactively safeguard patient information.
-
Contract Requirements
If you are a business associate, as part of the business associate agreement (BAA), partners may require your organization to undergo an external HIPAA assessment to ensure compliance with the necessary security standards.
-
Audit Preparation
Organizations may also face official audits from the Department of Health and Human Services (HHS) or Office for Civil Rights (OCR), and an assessment can help proactively address any compliance gaps before the auditors arrive. Allowing a third-party to conduct the assessment also frees up internal resources to focus on other initiatives within the organization.
While there are obvious expenses associated with hiring an external auditor or assessor, these costs are minimal when compared to the potential fines and reputational damage associated with a data breach or HIPAA violation. A third-party security assessment can help prevent costly security incidents and provide a strong foundation for your organization’s HIPAA compliance program ongoing.
Additional feedback provided by one of our Security Advisors:
Burt: When dealing with meeting HIPAA security requirements, it can sometimes be unclear whether current practices are in line with the stated intent of the rules listed within the administrative, physical, and technical safeguards. Working with an outside third-party consultant that has experience in dealing with reviewing these safeguards for other similar entities (e.g. Higher Education) can be invaluable and save significant time when scoping an environment. In addition, although internal staff are more than likely capable of assessing environments, we find that limited resources play a role in having the ability to perform an internal review of HIPAA environments. Lastly, for whatever the reason, it does seem that having an external third party perform an assessment does provide a greater level of comfort when audit situations arise (e.g. Internal Audits).
