HIPAA risk assessment for counties and behavioral health

HIPAA in counties and behavioral health organizations

Here's the problem. Counties and behavioral health CBOs often think they are compliant with HIPAA regulations for privacy and security but that belief is rarely based on any sort of objective reality such as a formal risk assessment. There are 40 different policies required by the HIPAA Security Rule so an appropriate comprehensive policy document might be 30 - 40 pages long with a corresponding set of procedures. If properly done, these procedure documents require IT staff, corporate compliance, medical records, department management, and many others to perform and document specific activities on a periodic, recurring basis. Moreover, as part of a solid information governance program, your governance/compliance team should include legal, IT, HR, and records management in addition to the inclusion of team members from executive management and your governing board.

There are some dead giveaways that reveal a lack of HIPAA compliance. For instance, if you don't have a current risk assessment and risk management plan, you are not compliant. If you've priced out audited risk assessments, you may have discovered they are expensive! I have seen risk assessments for even relatively small counties run between $15,000 and $150,000 on RFP. Do you want to pay that kind of money just to find out you are not compliant?

A solution for your organization

We have been working with HIPAA compliance since 2002 and have developed an unaudited, self-reporting risk assessment workshop you can use to assess your policies, procedures, and risk. This is a two-hour workshop in which we walk you through a set of questions that address every policy component in the HIPAA Security Rule and include several other best practices from ISO/IEC 27001 and the NIST Cybersecurity Framework. Each question is linked to the corresponding policy component required by HIPAA. At the end of the workshop, we'll send you the deliverable -- a color-coded risk assessment report clearly identifying every area in which your policies require additional work so you can begin remediation immediately.

How it works

We do this as a webinar, so no one has to leave their office. For county governments, we recommend you gather a multidisciplinary team including members from at least three of the following areas.

  • Legal department
  • Information Technology
  • Departments┬ámanaging PHI and PII (Mental Health, Public Health, Probation, Social Services, Correctional, County Recorder, etc.)
  • Executive - County Legislator, Commissioner County Executive, COO, CFO, etc.

For standalone Community Based Organizations, we recommend a mix of staff members responsible for compliance. We are happy to provide a quote for on-site audited risk assessments if you so desire and we are available to help you develop policies and procedure and review your infrastructure so you can get compliant.

Cost - $500

How to prepare

Gather your security policies and procedures to use as a reference as we work through the assessment tool.

Final Report Example: