The Health Insurance Portability and Accountability Act (HIPAA) mandates industry-wide standards for the protection and confidential handling of protected health information (PHI). This legislation outlines how companies store, manage, retain, and/or transmit this data.
One important exercise organizations subject to HIPAA are expected to complete is a risk analysis. It can be a challenging effort to maneuver through all the HIPAA regulations, particularly if your organization has never faced this challenge.
This article provides an introduction to HIPAA risk analysis and four things to remember when preparing for your first HIPAA risk assessment.
What is a HIPAA Risk Assessment?
According to the US Department of Health and Human Services (HHS), “conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.”
Therefore, the law requires an annual risk assessment be completed by all organizations covered by HIPAA to reveal areas where PHI could be at risk and to identify steps to address any problems that may cause sensitive data to be exposed.
Why Do I Need a HIPAA Risk Assessment?
Risk assessments are a critical part of keeping HIPAA Privacy and Security laws in place. HIPAA provides a set of minimum protection and privacy criteria for PHI. The Office for Civil Rights (OCR), which regulates compliance with HIPAA, has started imposing fines for alleged PHI infringements where an OCR audit detects security vulnerabilities that could result in a violation but have not yet been found or exploited by an intruder.
Such fines were imposed if an organization failed to carry out a risk assessment or certain vulnerabilities identified in the risk assessment were ignored.
This is why it’s important to conduct a thorough risk assessment performed by an informed and reputable professional.
Even if an organization is not a Covered Entity, as defined by HIPAA, it may be subject to HIPAA regulations. Any organization that stores, processes, or transmits PHI is subject to HIPAA regulations, including business associates, consultants, and vendors.
If you are unsure if the data processed by your organization qualifies as PHI and is therefore protected by HIPAA, reach out for a consultation.
How do I do a HIPAA Risk Assessment?
When conducting a HIPAA Risk Assessment, you must consider the requirements within the Privacy, Security, and Breach Notification Rules. Here is an explanation for each with advice on how to conduct a HIPAA risk assessment pursuant to each:
Privacy Rule Intent and Considerations
The HIPAA Privacy Rule identifies the ways that PHI moves through and is stored within an organization and identifies potential ways by which this information could be revealed to unauthorized parties.
HIPAA specifies seven criteria for a risk assessment that complies with the requirements of the Privacy Rule1. In order to comply with the Privacy Rule a risk assessment should investigate how the following are managed within an organization:
- Notice of privacy practice for PHI
- Rights to request privacy protection for PHI
- Access of individuals to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures
When carrying out a risk assessment under HIPAA, it is critical for the Privacy Officer to understand all PHI uses within the company and how both deliberate and accidental data flows may impact the privacy of patient information.
Security Rule Intent and Considerations
The HIPAA Security Rule establishes a national set of security standards for protecting health information that is possessed or transmitted in electronic form (referred to as ePHI). The Security Rule does not dictate how organizations implement their security controls, but requires them to consider the following as it pertains to their business:
- Size, complexity, and capabilities
- Technical, hardware, and software infrastructure
- Costs of security measures
- Likelihood and potential impact of risks to ePHI
Since the organizations impacted vary from the smallest company to the largest multi-state health program, the Security Policy provides for the most fair and effective implementation of security measures, based on the size and resources of the entity. This being said, doing nothing is not a choice, no matter how small the organization.
Breach Notification Rule Intent and Considerations
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. The HHS defines a breach as the impermissible use or disclosure under the Privacy Rule that compromises the security and privacy of said PHI.
Following a breach, covered entities must provide notification to affected individuals, the Secretary, and, in certain cases, the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Notification requirements are governed by the number of records – breaches of 500 or more individuals require immediate notification to the Secretary and a media outlet. Any breach requires notification of the affected individuals. To see a list of breaches since the inception of the Rule, check out the HHS Wall of Shame.
Performing a HIPAA Risk Assessment
To encourage organizations to comply with HIPAA, HHS is offering tools to assess if the company complies with HIPAA regulations. The Security Risk Assessment tool includes questions intended to help an organization find gaps in its security policy. HHS also publishes an audit protocol that describes the requirements that must be met to comply with the Privacy and Security Rule.
Point 1: Understand your HIPAA Security and Privacy Program.
Prepare for the assessor’s visit by gathering information, have the right people at your disposal for the event, and explain what is happening to your staff (i.e. why this stranger is on site).
Having the “right” people available depends on the company. Your assessor can tell you the types of positions/people who may be appropriate, but your understanding of your environment in designating appropriate subject matter experts is key.
Point 2: Realize it’s an assessment, not an audit.
Knowing the intent of an assessment is crucial when going forward: it is to help you understand where you actually stand and where your vulnerabilities lie, so you can address them.
This is your chance to discover weaknesses and get an expert to explain. Your HIPAA mandatory risk assessment is only as good as the information you provide. Your evaluation will be more effective, reliable and ultimately beneficial the more honest and willing you are to work with your assessor.
As a partner, a good consultant works with you. Be frank, and share with others. Know an assessment is an exercise in learning. Take this opportunity to consider the security posture, where the weaknesses are, and to have a strategy in place to address those areas of concern.
Point 3: Know where you stand when it comes to documentation.
HIPAA is document-based legislation. Therefore, it is not enough to have a clear process or security mechanism in place: All procedures should be recorded in a policy and procedure. Furthermore, all documents should be simple and conveniently available / centrally placed.
Conversely, if it’s documented, it needs to be true. Documenting HIPAA policies and procedures that you are not actually following will be discovered.
Point 4: Be patient.
Organizations must be vigilant in their enforcement efforts. We seldom see businesses reach 100% enforcement immediately. Although you can get a benchmark from a HIPAA security risk assessment, very few organizations reach an appropriate standard of compliance on their first attempt. You may want to find a compliance plan for healthcare to include a long-term roadmap to achieve and sustain compliance with HIPAA.
The key challenge in carrying out an in-house HIPAA risk assessment is the number and scope of the criteria that must be met for compliance with HIPAA. Although these methods can help recognize vulnerabilities, they don’t help with implementing and tailoring a remediation approach to meet the unique needs of an organization.
Avertium has a team of HIPAA compliance experts specialized in carrying out HIPAA risk assessments, then designing and implementing mitigation strategies to address found vulnerabilities. We offer a HIPAA Certification Program (HCP) that creates a partnership between Avertium and your organization to help you achieve and maintain a highly secure and HIPAA compliant state well beyond the initial HIPAA security risk assessment.
With Avertium, you get more rigor, more relevance, and more responsiveness. Don’t just comply, download our guide to HIPAA compliance today and show no weakness.