HIPAA risk analysis - steps to achieve - doctor on laptop

Posted by & filed under List Posts.

As you consider your risk analysis and efforts to keep it HIPAA-compliant, it is helpful to understand that the notion of risk is inherently context-based. Whenever you think about risk, initial questions to ask yourself are:

  • What asset am I attempting to protect?
  • What are potential threats?
  • What must be defended?
  • How substantial is the risk?

To look at the notion of context and how importance it is to risk, Sarah Morris of KirkpatrickPrice suggested the analogy of a tire that has significant wear-and-tear. When you think of it in terms of driving, its condition is awful, and it represents great risk. If you took the tire off your car and instead used it as a tire swing, you would remove the friction of the roads and no longer have the risk. With that in mind, Morris recommends not jumping to conclusions when it comes to determining your amount of risk – since you need to completely understand the context. Once you are complete with the analysis, you will be able to gauge your risk using that specific information.

Moving forward with your risk analysis

To understand your context so that you have a sense of your risk, you must conduct a risk analysis. The steps for performing a HIPAA-compliant risk analysis are as follows: 

Step 1.) Know key terms.

Major terms that are important to understanding HIPAA law are:

  • covered entity – Under HIPAA, a covered entity is a healthcare provider, plan, or data clearinghouse.
  • business associate – When covered entities use third parties to handle their protected health information (PHI), that organization is called a business associate.
  • business associate agreement – This term refers to a contract signed between a covered entity and any third party handling its PHI, stipulating responsibilities related to its protection.
  • electronic protected health information (ePHI) – When medical information is digitized into electronic health records (EHR), the data contained within IT environments is called ePHI (although PHI can be used as a catchall).
  • protected health information (PHI) – Typically shortened to its acronym, this term refers to sensitive personally identifiable health data that is safeguarded by HIPAA law.
  • Security Rule – A key stipulation of HIPAA’s Title II, the Administrative Simplification Provisions, this rule provides guidelines for the protection of electronic health records.

Step 2.) Know basic requirements of HIPAA law.

Within the Security Rule is the Security Management Process standard, which states that HIPAA compliance requires procedures and policies that avoid, identify, limit, and remediate any security issues that violate healthcare law.

The part of HIPAA that discusses the need for risk analysis is 45 C.F.R. § 164.308(a)(1)(ii)(A). To summarize that section:

In order for any organization to achieve HIPAA compliance, it is necessary to extensively review any possible risks to the ePHI that might expose it, corrupt it, or make it unavailable.

A description of strong risk analysis questions is contained in NIST Special Publication (SP) 800-66. Here are the questions (which are not mandatory or all-inclusive but suggest possible directions that may apply to your situation):

  • Do you know where the electronic protected health information is within your system (accounting for all data you generate, store, send, or receive)?
  • How is your ePHI handled externally, as when service providers produce, store, send, or receive healthcare data?
  • What poses a risk to the ePHI within your data environment, including all environmental, natural, and human threats?

While a risk analysis has direct benefits in terms of understanding your risk, you will experience indirect benefits as well in guiding you toward better compliance with other standards of the law. For instance, while the Security Rule has certain guidelines for deployment that are labeled as “required,” others are labeled “addressable.” The HHS clarified that it is not your choice whether to comply with addressable items. Instead, the entity should look at the parameter in terms of how appropriate and reasonable they are, given the context.

Step 3.) Assess the scope of your analysis.

Examine all of the equipment and digital environments within your organization that generate, send, store, or receive ePHI with respect to the physical, administrative, and technical safeguards described within the law. Servers and computers are a clear place to start, but think broadly as you consider your technology, as noted by the American Medical Association (AMA). For instance, photocopiers will typically have hard drives within them that store images of everything that you scan. All mobile technology that handles ePHI should be included within your scope as well. Also at this point, create an asset list and write down a diagram or outline of the ePHI workflow.

Step 4.) Determine possible weaknesses and threats. 

When you look at the ways in which you might be vulnerable, you can benefit from the work you did in determining your scope so that you know the locations to look for weaknesses and threats. It is important to ask the same questions about your environment repeatedly so that you are considering all the potential problems that may arise in various segments of your system that handle sensitive health data. 

What you want to achieve at this point is a full picture of everything that might put your firm at risk. It is also when you can create an inventory of all the security methods that are currently implemented. Typically you will need to talk within your organization – with the office manager, for instance – as well as having discussions with knowledgeable outside parties related to the ePHI threat landscape and standard protections. 

Step 5.) Evaluate your risk. 

As stated above, risk is all about context. The nature of the systems you are protecting will lead to a reasonable understanding of how likely data breaches are to occur – and how devastating the outcomes would be.

An example negative situation that is a common HIPAA violation is the loss of an unencrypted laptop. Risk is different for different organizations related to laptop loss, though. For instance, a practice that visits patients in their homes could consider loss of laptops a high risk since it would be very possible to occur and because they might contain ePHI related to patient visits. By implementing laptop encryption, the risk is mitigated.

Also rank your risks during this process. You can determine your overall level of risk at this point as well.

Step 6.) Finalize your documentation.

Create a document that outlines the findings of your risk analysis (some of which is already composed). Make sure that this writeup includes the list of all your assets, weaknesses, threats, likelihood of occurrence, impact, controls that are now implemented, ranking of your controls, any residual risk you might have, and any advice that you have in terms of new controls to deploy.

Step 7.) Review and update your risk analysis process moving forward.

Risk analysis should be an ongoing project, of course. It should occur once a year, according to the AMA. Deciding how often to perform these assessments is context-based as well, though. As noted in Healthcare Informatics, “Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment.”

HIPAA-compliant hosting for your patient data

HIPAA is flexible and allows you to assess your security stance based on the context. To better understand your context, you perform a risk analysis. The above steps will help you in conducting your risk analysis. Probably you will find ways in which your systems could be improved, as with expertly engineered HIPAA-compliant hosting. At Total Server Solutions, our service is what sets us apart, and it’s our people that make our service great. See our approach.