How to Conduct a HIPAA Risk Assessment
What is a HIPAA Security Risk Assessment?
Data Breaches are nothing new. If anything, with the advent of electronic medical records, they have become much more common. With that in mind, a security assessment is a vital way to determine threats and vulnerabilities to Protected Healthcare Information (PHI). Not only is it useful to identify threats, but a risk analysis is also mandatory: The HIPAA Security Rule requires Covered Entities and their Business Associates to conduct an annual HIPAA risk assessment and implement security measures in order to help safeguard PHI.
Prior to implementing safeguards, organizations need to know what kind of PHI they can access, where they have gaps and security risks, and what can threaten the integrity and security of PHI. HIPAA stipulates that covered entities and their business associates complete a thorough risk assessment to identify and document vulnerabilities within their business.
Performing a security risk analysis is the first step to identify vulnerabilities that could result in a breach of PHI. HIPAA doesn’t give instructions on how a risk analysis should be conducted, because the rule recognizes that not only are the needs and vulnerabilities of covered entities and business associates often very different from one another, the rule is aware that different sized organizations will have access to different levels of resources. However, you do need proof that your organization has conducted a risk assessment.
Why complete a risk assessment?
If the fact that a Risk Assessment is required by HIPAA is not enough to motivate you to begin the process, one should bear in mind that the penalties for even a small breach of PHI can quickly become staggering. So not only will performing a risk assessment give you an opportunity to address and correct vulnerabilities, but the risk assessment could also protect your organization from more severe fines.
Determine the Scope of Your Risk Analysis
A Risk Assessment is a thorough and accurate audit of your businesses’ administrative, physical, and technical safeguards to identify vulnerabilities and risks to the integrity and sanctity of ePHI.
A risk analysis of your Administrative Safeguards takes a long hard look at the process that your business has in place to maintain the integrity of PHI. As part of the process, ask yourself these questions:
- What kind of security procedures does your business have in place?
- Are your employees aware of and trained in HIPAA Security regulations?
The Physical Safeguards portion of the assessment will review the physical property of your organization to determine its vulnerabilities. Ask yourself:
- Are your healthcare records locked up?
- Do you have alarm and access control systems in place?
When reviewing Technical Safeguards, evaluate the technology that your organization is using to keep the electronic access, storage, or transmission of PHI secure. Evaluate:
- What kind of encryptions are you using?
- Are systems protected against unauthorized access?
Your risk analysis should not just recognize current risks, but also identify any potential risks that your organization could face that would threaten the integrity and confidentiality of PHI that an organization may have access to. In addition to electronic media stored on your computer and servers, this could also include CDs, jump drives, and your network.
Conducting the HIPAA Risk Assessment
Step 1: Determine what PHI you have access to
Ask yourself these questions: What ePHI does your company have access to? Where is ePHI stored at your organization? What is used to transmit that data? You can learn this information by reviewing your past or current projects, performing interviews of your employees, and reviewing documentation of previous risk assessments.
Once this portion of the assessment is completed, document your data.
Step 2: Assess your current Security Measures
Once you have completed the reviews of where ePHI is stored at your organization, what is used to access and interact with the data, assess and review your current security efforts. Start by documenting your organization’s current efforts to safeguard PHI.
Once that is complete, assess whether or not the security measures required are already in place and are configured correctly according to the Security Rule. Document your findings.
Step 3: Identify where your organization is vulnerable and the likelihood of a threat.
Armed with the information you’ve gathered so far, think about the gaps you may have uncovered in your organization’s safeguards and consider the likelihood of potential threats to ePHI that may impact the security and integrity of ePHI maintained by your organization.
Document - I hope you are detecting a recurring theme.
Step 4: Determine your level of risk
Assign risk levels for all threat and security vulnerabilities that your organization may face that you have identified during the risk assessment. The level of risk is determined by evaluating the likelihood of all threats and impact combinations identified so far. The assigned level of risk is highest when a threat is likely to occur and will have a significant impact on your organization. if there is a low chance of that risk occurring, and that the threat won’t have much of an impact on your organization, that threat should be assigned a low-risk level in your risk assessment.
Once this is complete, document the assigned threat levels and create a list of corrective actions that should be taken to reduce the risk.
Step 5: Finalize your documentation
Have you been documenting everything? Finalize your documentation in a format that clearly outlines what PHI you work with, your vulnerabilities, and how you will seek to mitigate threats to the integrity of PHI.
Prepare to do it again
The Security Rule does not state how often risk analysis should be completed, only that they are done periodically. At Accountable, we recommend that you conduct an assessment annually, and following any major changes within your organization. Changes could include a new office location, employee turnover, or new hardware. All three of these can affect how you process and interact with PHI, as well as your level of risk. A lot can change over a year, let alone two or three years.
With that in mind, you should conduct fairly frequent risk assessments in order to identify when updates to your safeguards are needed. If you faced an audit of your compliance: do you think that the fact your last assessment was from over two years ago would help you? The HHS doesn’t think so. Why should you?
While a risk assessment may sound daunting, Accountable can help you by breaking the process down into the steps above, we will not only greatly simplify the process, allowing you to clearly see threats and vulnerabilities and then take appropriate action, but you can also protect your organization from liability in the case of a breach.