The U.S. Department of Health and Human Services (HHS) requires healthcare entities to follow the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This act requires healthcare entities to implement policies and procedures to safeguard the privacy and security of patients’ protected health information (PHI).
One core requirement is to perform risk assessments. This article explains the HIPAA risk assessment requirements and offers guidance about the steps involved.
What is a HIPAA risk assessment?
HIPAA has two key components:
- HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) — Requires covered entities to protect ePHI using the appropriate administrative, physical and technical safeguards.
- Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) — Regulates who can access PHI, how it can be used, and when it can be disclosed.
A HIPAA security risk assessment is instrumental to complying with both of these rules. It helps you identify potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that your organization generates, receives, retains or transmits, and to implement appropriate controls to mitigate those risks.
Is my organization required to conduct a HIPAA risk assessment?
HIPAA risk assessments are required for any covered entity that generates, receives, stores or transmits PHI, such as medical centers and health plans. Business associates, subcontractors and vendors who interact with any ePHI must also conduct HIPAA risk assessments.
You should conduct HIPAA security assessments at least once per year, as well as whenever new work methods, pieces of technology or significant upgrades to existing IT systems are introduced.
Covered organizations must take the HIPAA risk assessment requirement seriously. The Office for Civil Rights (OCR) can apply fines of $100 to $50,000 per violation or per record, up to a maximum of $1.5 million per year, for each violation.
What are the steps in a HIPAA risk assessment?
HIPAA does not prescribe a specific risk analysis methodology. Instead, organizations routinely refer to standards like NIST 800-30 for guidelines in order to achieve and maintain HIPAA compliance. NIST SP 800-30 defines standard risk assessment methodologies for evaluating the efficacy of security controls in information systems.
In general, conducting a HIPAA risk assessment involves the following nine steps:
Step 1: Determine the scope of your risk analysis.
First, you must determine the scope of your risk analysis. A HIPAA risk analysis must include your organization’s ePHI, regardless of its source, its location, or the electronic media used for creating, receiving, maintaining or transmitting it.
Additionally, the analysis must cover all “reasonable” risks and vulnerabilities to the confidentiality, integrity and availability of that ePHI. “Reasonable” means any threats to HIPAA compliance that are foreseeable, including external bad actors, malicious insiders and human error from lack of knowledge or training.
Step 2: Collect data.
Next, gather complete and accurate information about ePHI use and disclosure. You can do this by:
- Analyzing the inventory of past and current projects
- Performing interviews
- Reviewing documentation
- Using other data-gathering techniques as needed
Step 3: Identify potential threats and vulnerabilities.
Then analyze the threats and vulnerabilities for each piece of regulated data. Include all reasonably anticipated threats.
The identified threats should include factors unique to your security environment. For instance, if you use Amazon Web Services (AWS) as your cloud solution, you should identify security risks associated with AWS.
Step 4: Assess your current security measures.
Document the safeguards and measures you have already implemented to mitigate risks to your ePHI. Be sure to include the following measures:
- Technical measures like access control, authentication, encryption, automatic log-off, auditing, and other hardware and software controls.
- Non-technical measures, which are operational and management controls like policies, procedures, and physical or environmental security measures.
Analyze the configuration and use of each security measure to determine its appropriateness and effectiveness. This will help you reduce risks associated with each security measure.
Step 5: Determine the likelihood of threat occurrence.
Rate the likelihood that a threat will trigger or exploit a specific vulnerability, and assess each potential threat and vulnerability combination. Common strategies for expressing the likelihood of occurrence include using categories such as High, Medium and Low, or assigning a specific numeric weight.
Step 6: Determine the potential impact of each threat occurrence.
Detail the possible outcomes of each data threat, such as:
- Unauthorized access or disclosure
- Permanent loss or corruption
- Temporary loss or unavailability
- Loss of financial cash flow
- Loss of physical assets
Estimate and document the impact of each outcome. Measures can be qualitative or quantitative.
Step 7: Identify the risk level.
Analyze the values assigned to the likelihood and impact of each threat. Then, assign a risk level based on the assigned probability and impact level.
Step 8: Determine appropriate security measures and finalize the documentation.
Identify the potential security measures you could use to reduce each risk to a reasonable level. Consider the measure’s effectiveness, the regulatory requirements around implementation, and any organizational policy and procedural requirements. Remember to document all findings.
Step 9: Periodically review and update the risk assessment.
Finally, develop a policy describing how often to conduct risk assessments. You should perform one at least annually. Additionally, you should update the assessment when anything changes, such as your organization’s security systems, authority and risk levels, or policies. Track each change in the revision history at the end of the assessment.
Tips for making your HIPAA risk assessment successful
HIPAA risk assessments can be challenging to perform, especially if you have a small team and limited resources. Keep these tips in mind when implementing HIPAA risk assessments:
- Choose a point person to be in charge of the assessment.
- Understand that you can either do the assessment in house or outsource it to a HIPAA expert. Outsourcing the assessment may get the analysis and planning tasks completed faster.
- Remember the intent of the HIPAA risk assessment. It is not an audit — instead, it aims to help you identify, prioritize and mitigate risks.
- Ensure your documentation meets HIPAA standards. Record all procedures and policies, ensure they are accurate, and make them centrally available.
- Remember that you are required to repeat the assessment process at least annually.
- Keep HIPAA notification requirements in mind, such as the breach notification rule. This rule requires organizations to notify the HHS Secretary if a breach affects 500 or more individuals.
- Provide all staff members with training on HIPAA compliance practices and notification requirements.
How can Netwrix help?
Netwrix’s HIPAA compliance software helps you achieve and prove HIPAA compliance. In particular, it enables you to conduct the risk assessments required by HIPAA to protect against cybersecurity threats. For example, HIPAA requires organizations to assess the risks to their information systems and act on the findings, and the Netwrix solution empowers you to examine the configuration of your information systems and identify risks in account management, data governance and security permissions.
Even better, the HIPAA functionality of the Netwrix solution goes far beyond risk assessments. Critically, it lets you spot active threats in time to prevent security incidents, breaches and business disruptions. Plus, unlike many other audit tools, the Netwrix solution includes pre-built compliance reports matched to the requirements of HIPAA and other common mandates, saving significant time and effort during compliance preparation.
FAQ
What is the difference between a HIPAA security risk analysis and a HIPAA compliance assessment?
Regular risk assessment is one requirement of the HIPAA mandate. A HIPAA compliance assessment evaluates your adherence to all HIPAA requirements.
When is a HIPAA risk assessment necessary?
HIPAA risk assessments are required for any entity that creates, receives, transmits or stores protected health information (PHI), such as health plans and medical centers.
How often should you review HIPAA risk assessments?
Although HIPAA does not state how often you should conduct HIPAA risk assessments, you should perform HIPAA assessments at least once per year, as well as whenever you introduce new work methods, upgrade existing IT systems, or add new pieces of technology.