If you’re getting new software, put a HIPAA review at the top of your priority list.
Question:We are having a bit of a debate. Some of us think that performing a HIPAArisk assessment once every few years is adequate, but others believe that we should do them more often. How often should our agency perform a risk assessment?
Answer: The answer is not the same for every organization and every situation. You should generally “take a good scan around and make sure you’ve covered all your bases at least once every couple of years,” says Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems based in Charlotte, Vt.
If nothing much in your organization is changing and you’re continuing to do business the way you always have been, performing a comprehensive risk assessment every couple of years is sufficient.
Caveat: But if you know you’re making a change — for example, if you’re installing some new systems or changing how you’re doing business — you need to perform a risk assessment to pinpoint any risks and determine whether the change alters any of your risk profiles, Sheldon-Dean stresses.
Note: For more information on HIPAA compliance, subscribe to Health Information Compliance Alert at www.aapc.com/codes/coding-newsletters/my-health-information-compliance-alert.