- While the Office for Civil Rights (OCR) announced that phase two of its HIPAA audit program is underway, covered entities of all sizes and their business associates should already understand the basics of a HIPAA risk assessment.
Being able to properly monitor risk, including conducting a thorough risk analysis, is a critical part to any organization’s approach to data security. Not only are risk analyses part of the administrative safeguard requirement, they can help covered entities analyze potential risks and pinpoint where PHI could be vulnerable.
HHS defines a HIPAA risk assessment
Administrative safeguards are policies and procedures designed “to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information,” according to the Department of Health and Human Services (HHS).
These policies and procedures can also include security training requirements and how certain security responsibilities should be delegated in a facility. This is why a risk assessment falls under the same category.
Healthcare organizations need to not only implement, but also be sure to monitor their “performance of security management process, assignment or delegation of security responsibility, training requirements, and evaluation and documentation of all decisions.”
According to HHS, risk analysis should be an ongoing process at an organization. A covered entity should regularly review its records and track access to ePHI and detect security incidents.
It is also important to periodically evaluate “the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”
The risk analysis should also include the following, HHS states on its website:
- Evaluate the likelihood and impact of potential risks to e-PHI
- Implement appropriate security measures to address the risks identified in the risk analysis
- Document the chosen security measures and, where required, the rationale for adopting those measures
- Maintain continuous, reasonable, and appropriate security protections.
In 2014, HHS also released a security risk assessment tool to assist covered entities in maintaining their HIPAA compliance.
“By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems,” HHS explained in a press release. “Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.”
The tool was a collaboration between OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC). While not required under the HIPAA Security Rule, ONC explains on its website that the risk assessment tool is simply meant to assist covered entities as they go through the risk assessment process.
The importance of monitoring potential risk
It is essential that covered entities understand that a thorough risk assessment is not something that should be taken lightly, or done in a haphazard way.
As Davis, Wright, Tremaine LLP Associate Anna Watterson previously explained, the risk analysis is the foundation of the security role for an organization.
“It’s looking at your information system, going through the risk and vulnerabilities of your assets, seeing what threats and vulnerabilities are likely to impact you,” Watterson said. “That really becomes the foundation for what implementation specifications are the addressable ones that you need to implement in your organization.”
The risk analysis can also be the basis for determining whether a particular addressable implementation specification is reasonable and appropriate to implement in a particular circumstance, she added.
“Given how quickly threats are evolving – by nation states in particular – covered entities should be proactive,” Spencer said. “The rules require they take ‘reasonable steps’ to safeguard health information, and there is not a requirement that they perform a risk assessment in a particular time period, but some would argue that it is best practice to perform regular assessments.”
Another crucial area is for organizations to know all areas in which ePHI is being used and stored. For example, the main computer network might be an obvious place to check for sensitive information, but all end point devices - smart phones, tablets, laptops - should also be checked. Furthermore, ePHI might be sent through work emails, so covered entities must be thorough as they check for potential access points.
There can be numerous layers to that onion, Jeff Krull, CPA, CISA, Partner at Baker Tilly Virchow Krause, LLP, previously said in an interview.
“Our experience is rarely does that get you to a level of having that thorough comprehensive risk assessment,” Krull said. “It’s really the conversations in having those facilitated discussions that get you there.”
A risk assessment should find all of the factors in place and help management understand where the threats and vulnerabilities exist, according to Krull. Should any gaps be found, the covered entity then must determine how to handle them.
“That’s why you do it,” Krull maintained. “You do it to uncover the findings and the risks and go deal with them.”