When was the last time your entity performed a risk assessment under HIPAA? If it's been over a year, it may be time to do another one. Performing a risk assessment is a vital component of HIPAA compliance for covered entities and business associates, yet many fail to perform one at all, or do them so infrequently as to make them of little value.

Despite the importance and necessity of performing risk assessments, it's not always an easy task and could require significant time, resources and money, depending on the size of the covered entity or business associate and the amount of PHI it maintains.The Office for Civil Rights (OCR) has recognized this, and so for many years, in collaboration with the Office of the National Coordinator for Health Information Technology, it has made available a downloadable Security Risk Assessment Tool to assist small- and medium-size providers in meeting their obligations to conduct a security risk assessment.

OCR released an update to the Security Risk Assessment Tool last month. If you are a small- to medium-size provider and do not have a recent risk assessment, consider taking it for a spin.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.