If you’re weighing whether to use an outside consultant for your HIPAA risk analysis, consider this advice from an expert. For starters: It’s not legally necessary to engage an outside HIPAA expert to perform your annual risk analysis. The size, scope, and specialty of your organization usually determines the necessity of an outside resource.
However: if the same person who does the assessment manages the implementations both monthly and annually, it might be a good idea for a change. “I think it is good to engage an outside consultant, to ensure that those issues that staff may be blind to can be revealed,” advises Jim Sheldon-Dean with Lewis Creek Systems in Charlotte, Vt. Sheldon-Dean adds, “But, reviews can also be internally directed, and it can be useful to have a mix, alternating reviews by internal or external parties, or alternating between two external parties.” An outsider can look at your agency challenges objectively and is more likely to call out issues that staff may purposely ignore, particularly as the majority of breaches are caused by insider threats. “I doubt that insider issues would affect the risk analysis, since the risk analysis will dictate what needs to be done for security, but leave the investigation of what’s gone wrong to the processes instituted according to the risk analysis,” Sheldon-Dean cautions. “Doing the risk analysis, whether by internal or external parties, will result in exposing the need to look for improper insider activity, which is a required but often ignored process.”