Guide to Conduct a Successful HIPAA Risk Assessment

By / Healthcare Compliance

Key Takeaways

  • The objective of the HIPAA security risk assessment is to assure the integrity, confidentiality, and availability of ePHI that is created, maintained, received, and transmitted by the CE and BA.
  • CE and BA are required to appoint a Privacy Officer for the HIPAA privacy risk assessment, who identifies the organization’s workflow and understands how the Privacy Rule affects an organization’s operations.
  • The ‘required’ HIPAA breach risk assessment is optional and the Breach Notification Rule states that any use, access, or disclosure of PHI is assumed to be a breach unless a low probability is showcased during the risk analysis.

HIPAA risk assessment is essential to prevent data breaches and keep cyber crime at bay. According to the HIPAA Journal, the healthcare industry has experienced the maximum number of breaches compared to other industries. Personal information is used by hackers to commit crimes such as financial fraud, identity theft, or harm a person. To prevent these cyberattacks in the healthcare sector, HIPAA rules and regulations were introduced. Privacy and Security Rules are two of the predominant ones under the Health Insurance Portability and Accountability Act.

Before applying the Security Rule, Covered Entities (CE) and Business Associates (BA) are required to conduct a HIPAA risk assessment, which is the first step towards implementing the Security Rule. This rule recognizes HIPAA risk assessment as the foundational aspect of achieving compliance.

HIPAA Privacy Risk Assessment

Before jumping to HIPAA privacy risk assessment, let’s understand the Privacy Rule. HIPAA Privacy Rule is a set of standards created to protect ePHI and addresses the disclosure and use of ePHI (Electronic Protected Health Information) by Covered Entity. It also highlights standards for individual privacy rights to control, and understand how their health data is used. The Rule gives rights to individuals over their ePHI to obtain and examine a copy of medical records, direct CE to transmit an e-copy to a third party, and request corrections in the copy.

HIPAA risk assessment is a part of the Security Rule, but it is necessary to conduct a privacy risk assessment too. CE and BA are required to appoint a Privacy Officer for the assessment, whose first task is to identify the organization’s workflow and understand how the Privacy Rule affects an organization’s operations.

The Privacy Officer maps out the flow of ePHI: internally and externally, to detect gaps and note which areas are vulnerable to breaches. Once this is done, a HIPAA privacy compliance program is implemented. This includes policies to identify risks to protected health information and can be reviewed when new work practices or technologies are incorporated into the organization.

According to 45 CFR 164530, staff members are educated about the procedures and policies developed as a result of the HIPAA privacy risk assessment. A well-trained staff will likely make fewer HIPAA errors and support during risk mitigation processes.

HIPAA Security Risk Assessment

HIPAA Security Rule is a set of standards established to protect ePHI that is received, created, maintained, or used by Covered Entities. The Security Rule mandates CE and BA to implement physical, administrative, and technical safeguards to assure the integrity, confidentiality, and security of the electronic health data.

  • Administrative Safeguards: These are administrative actions, procedures, and policies that help to manage and maintain security measures to protect ePHI. It can include training and education of staff about HIPAA regulations.
  • Technical Safeguards: These encompass technical aspects such as firewalls, data encryption methods, passwords, or restricted authorization to protect vital ePHI.
  • Physical Safeguards include physical means of protecting healthcare data such as confined rooms for storing data hardware, appointing security personnel, and safeguarding on-premise sites from data breaches.

The objectives of the HIPAA security risk assessments are:

  • To assure the integrity, confidentiality, and availability of ePHI that is created, maintained, received, and transmitted by the CE and BA.
  • Protection against disclosures or uses of healthcare data that isn’t authorized under the Privacy Rule.
  • Security against any predicted hazards, threats, or vulnerabilities to medical data.
  • It is recommended to implement all the safeguards unless an implementation specification is either ‘addressable or reasonable.’

HIPAA Breach Risk Assessment

The HIPAA Breach Notification Rule requires Covered Entities and Business Associates to notify about a breach of unsecured protected health information to the OCR (Office of Civil Rights). Breach notification provisions enforced by the FTC (Federal Trade Commission) apply to the vendors of PHI and their third-party service providers.

The ‘required’ HIPAA breach risk assessment is optional and the Breach Notification Rule states that any use, access, or disclosure of PHI is assumed to be a breach unless a low probability is showcased during the risk analysis. The following aspects are taken into consideration for the HIPAA breach risk assessment:

  • The extent to which the ePHI has been mitigated.
  • The extent and nature of healthcare data breach.
  • Unauthorized people who used, accessed, and acquired healthcare data or to who impermissible disclosure was made.
  • Check whether the ePHI was ‘viewed or acquired’ (the definitions of these two are mentioned in the HHS guidance on ransomware.)

HIPAA breach risk assessment is called optional because Covered Entities and Business Associates can skip the assessment process and directly report about the data breach. However, if the HHS OCR thinks that the business is experiencing above-average healthcare data breaches then it can conduct a compliance review. It can also lead to business disruptions. Even though it is optional, it is best to conduct a breach assessment, as it will help to increase the trust of users in organizations.

Security Risk Assessment (SRA) Tool

The healthcare industry faces innumerable threats in the form of data breaches. So, HIPAA risk assessment is a necessity to keep cyber crimes at bay. However, sometimes healthcare organizations fail to fulfill the HIPAA risk analysis process due to its complexity and lack of time. Thereby, to overcome these obstacles, ONC (Office of the National Coordinator for Health Information Technology) in association with HHS OCR created a downloadable Security Risk Assessment tool to guide them through the process.

The tool helps Covered Entities and Business Associates to complete the assessment. The SRA tool comprises multiple-choice questions, threats, vulnerability checks, and asset management. At the end of it, the Security Risk Assessment Tool offers a detailed report, references, and guidance on vulnerabilities and assets.

The target audience for SRA is the small and medium size providers, hence may not be appropriate for large organizations. The new 3.3 version of the SRA tool contains an Excel workbook, which includes formulas and conditional formatting. This version was developed to replace the ‘paper version’ and is a great option for those who don’t have access to MS Windows.

HIPAA Risk Assessment Requirements

Before conducting the HIPAA risk assessment, there are certain requirements to be met such as:

  • Data: To accomplish the HIPAA risk analysis process, ensure to collect information about where ePHI is stored, and how it is transmitted and maintained. Once this aspect is understood, the next part about identifying threats during risk assessment becomes easy.
  • SRA Tool: As explained above, this tool is a necessity to simplify the process of HIPAA risk assessment.
  • Adhering to Security Risk Analysis Requirements: The 45 CFR 164.308 Security Rule urges CE and BA to carry out an ‘accurate assessment of the potential vulnerabilities and risks to the integrity, confidentiality, and availability of PHI.’
  • Breach Notification Rule Requirements: The 45 CFR 164.402 Rule states that CE and BA are required to report any type of breach to the authorities, however, it is an optional step, which can be skipped if a low probability of compromise is showcased through HIPAA risk assessments.

HIPAA Risk Assessment Template

HIPAA risk assessment template provides an overview of the steps to conduct a successful HIPAA risk assessment.

  • Analyze the scope of the assessment by considering all protected health information, in all formats: hardware and software. Get an idea of all the ePHI that needs to be assessed before risk analysis.
  • For data collection, it is recommended to perform interviews, check past reviews, policies, and IT processes, and visit sites.
  • Once relevant data is gathered, set out to determine every possible threat and vulnerability to that data. Examples include financial loss, reputation damage to patients, identity theft, etc.
  • Next check current security measures: technical and non-technical. This can encompass encryption, audit controls, restricted access, policies, security guards, etc.
  • What will be the impact of potential threats and vulnerabilities? Will it be a long-term or short-term impact? How BA and CE can handle plausible impacts? These are some of the questions which need to be answered during the risk assessment.
  • Assign risk levels to every threat that’s identified. It helps to determine which data holds the top priority.
  • Prepare a HIPAA risk assessment document, and ensure to conduct periodic reviews. Keep updating the document after every assessment.

Steps to Conduct HIPAA Risk Assessment

The following steps are necessary to conduct a successful HIPAA risk assessment.

  • Determine the Scope of Risk Analysis: This includes all ePHI that an organization creates, transmits, receives, and maintains, including on-premise and cloud storage healthcare data. An organization must take into account all the protected health information regardless of the medium and the location of the ePHI.
  • Data Collection: An organization identifies where healthcare data is received, stored, transferred, and maintained. Methods to use for data collection are: reviewing past and existing projects, checking documents, conducting interviews, or using data collection techniques.
  • Identifying Potential Threats and Vulnerabilities: Look for threats and vulnerabilities that could cause data breaches and unauthorized disclosure or use of medical data. Plausible threats include ransomware attacks, financial losses, identity theft, etc.
  • Detect the Impact of These Threats and Vulnerabilities: It impacts the integrity, confidentiality, and availability of ePHI. Personal information lies bare in the hands of cyber criminals who can harm the individual. So, take into account every impact associated with a data breach.
  • Analyze Current Security Measures: Before implementing any security measures, determine current ones to get an idea about the shortcomings and strengths of the present system. Security measures reduce the risks and safeguard protected health information.
  • Determine Risk Level: Assign values to each of the security vulnerabilities and threats based on their impact. Risk levels can go from low, medium, and high levels based on threat impact and probability.
  • Documentation: Record all the findings: threats, vulnerabilities, security measures, impact on the organization, and risks. This document can be reviewed periodically as the risk analysis process should be ongoing. In order for an entity to update documents as needed, conduct a continuous risk analysis.

HIPAA Compliance Checklist

HIPAA compliance checklist can be referred to while developing healthcare software or application. It can also be referred to by healthcare facilities to maintain compliance. The checklist includes:

  • Have a deep understanding of the three HIPAA rules: The Security Rule, the Privacy Rule, and the Breach Notification Rule (these are explained in the first half of the article).
  • Find security vendors that specialize in handling healthcare compliance as they have the knowledge and the resources to implement HIPAA.
  • Next is to conduct a HIPAA risk assessment, which is explained in-depth in this article.
  • Avert from breaking any compliance regulations as failure to do so results in penalties and criminal charges. Compliance violations harm the reputation of healthcare organizations and vendors as well.
  • Have a robust data backup and recovery process in place to save all necessary data in difficult times such as natural phenomena, technical glitches, or accidents.
  • Make sure to report data breaches and any other security issues immediately. The report is submitted to the OCR regional office and a HIPAA Security Officer conducts further examinations.
  • Maintain documentation of HIPAA compliance which can include data like risk analysis, password policies, contracts, privacy policies, etc.
  • Always monitor and update compliance policies as the government keeps on changing them due to technological advancement in healthcare.
  • Provide HIPAA compliance training to staff members and make them aware of the consequences of non-compliance. Both Business Associates and Covered Entities are obliged to train their staff on HIPAA compliance.

Get fully HIPAA-compliant healthcare software for your organization from one of the top-notch medical software development companies, and with over 12 years of experience: Arkenea. Our team of expert developers ensures to provide only state-of-the-art healthcare software that meets your industry standards. Connect with Arkenea to know more.