Conducting a HIPAA Risk Assessment

Conducting a HIPAA Risk Assessment

A HIPAA risk assessment or risk analysis is one of the primary requirements for HIPAA compliance. Risk assessments activities should be defined in organization’s HIPAA administrative policies and must be conducted at least once a year. However, many entities are unable to conduct such assessments, placing them at risk of disastrous data breaches or hefty fines imposed due to non-compliance.

The HIPAA Security Rule requires that covered entities (CE) conduct a thorough and accurate assessments of potential vulnerabilities or risks that can compromise confidentiality, integrity and availability (CIA) of protected health information (PHI). Failing to carry out or partially conducting HIPAA risk assessments means that an entity may not address existing risks in its risk management practices, so it is important that organizations properly conduct a risk assessment.


Types of Risk Assessments

To comply with HIPAA requirements, organizations may conduct an internal HIPAA risk assessment or turn to a reputable third party for conducting the assessment. Although, organizations may be tempted to conduct an internal assessment to cut costs, it is important to note that internal assessments may not be the most effective assessment of security risks and may be clouded by bias. Companies selling to hospitals and enterprise healthcare should also consider turning to 3rd party assessments, since these healthcare organizations are typically looking for outside validation for vendors.


Steps for Conducting a HIPAA Risk Assessment

Although HIPAA risk assessment guidelines can differ, NIST recommends eight steps organizations should follow when conducting a HIPAA risk assessment.

1. Define the scope of the assessment

The scope of the assessment should cover all potential risks to integrity, availability, and confidentiality of protected health information (PHI) created, received, maintained, or transmitted within an organization. It should include all forms of electronic data despite the media it is stored in.

2. Document collected data

Organizations normally collect e-PHI data from different sources, including through paperwork and logs containing PHI. Security teams must identify and document all data storage locations, how they acquire the data, and strategies for transmitting and maintaining the data. Documentation assists in implementing security measures and in assessing risks to the data.

3. Identify potential risks and document them

HIPAA covered entities should identify potential risks and threats and document them. The identified threats should be unique to the organizations’ security environment. For example, organizations may identify security risks coming from their application architecture or cloud solutions. Dash can help identify and monitor HIPAA security issues in the cloud. More importantly, covered entities should be sure to document vulnerabilities which can result in unauthorized disclosure or access of e-PHI when exploited.

4. Assess the implemented security measures

Assessing risks to security measures and overall PHI data security is a crucial element of HIPAA risk assessments. The assessments should include whether an entity has implemented the security requirements recommended in HIPAA security rule and whether the measures currently put in place are appropriately used and configured correctly. Assessing risks in security measures is important since organizations use them to reduce risks.

5. Assess the likelihood of threats occurring

In a HIPAA risk assessment, determining the probability of risks to PHI data breaches occurring influences the ability of an organization to protect against them. Each assessment should include a list of documented threats and vulnerabilities, and a relative probability for how these risks they may impact the integrity, confidentiality, and availability of an organization’s PHI.

6. Identify potential impacts of documented threats and vulnerabilities

A HIPAA risk assessment must identify the possible effects and impact to data integrity, availability, and confidentiality of PHI data should a breach occur. To determine the impact, an organization can use either quantitative or qualitative techniques. This process should document the potential impacts of particular security vulnerabilities and threats.

7. Determine risk levels

Risk levels for PHI data are usually determined by analyzing the probability values of vulnerabilities being exploited, and potential impacts should the threats occur. Assessing the risk levels provides an organization with a clear picture of the severity of various risks, enabling it to accept those that pose minimal danger and mitigate risks that can negatively impact the security of PHI data.

8. Documentation

The results of the HIPAA risk assessment should be documented to guide the risk management process. Security teams should use this information to improve the organization’s overall security practices.


Connecting a Risk Assessment into Your Security Program

A HIPAA risk assessment is a necessary evaluation for organizations managing PHI, but only provides insight on single point in time. It is important that organizations use risk assessments as part of their overall security program. In order to comply with HIPAA requirements, organizations must define administrative policies. Policies should set standard operating procedures, define security and privacy officer roles, and outline overall security operations. Security teams must also implement all necessary HIPAA technical safeguards including backup and disaster recovery (DR), audit logging, and vulnerability scanning.

Many entities are unable to conduct HIPAA risk assessments due to the complexity of the procedure. In order to comply with HIPAA, organizations should consider turning to a 3rd party for HIPAA risk assessments and other compliance services. Dash provides such a platform for addressing risk assessments, automating HIPAA administrative policies and implementing necessary technical safeguards and compliance monitoring.