Healthcare is among the most highly regulated industries in the United States. Hospital systems, medical practices, and related healthcare organizations accumulate huge troves of sensitive information about their patients—medications, procedures, testing results, and more—which all qualify as protected health information (PHI) that must be secured from unauthorized use.
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, first defined how PHI must be handled. The law was further updated in 2003 with the HIPAA Privacy Rules, followed by the HIPAA Security Rules in 2005.
Those two sets of rules address different aspects of keeping patient information secure. The HIPAA Privacy Rules focus on protecting data and establishing rules for what and how patient information may be shared; the HIPAA Security Rules focus on the technical aspects of how to keep patient data secure and confidential (for example, by imposing stringent cybersecurity requirements and other data protection measures).
Alas, things still go wrong, and HIPAA data breaches still happen. As hackers become more proficient and clever with their attack strategies, the potential harm of a breach keeps increasing.
In this post, we’ll review how to perform a HIPAA risk assessment and provide some guidelines for how to get started.
What are the 4 elements of a risk assessment?
Regardless of your industry, the four basic elements of risk assessment are the same. Let’s break them down in terms of how they relate to HIPAA and the healthcare industry:
- Identify the assets at risk. This would be any type of protected health information, such as patient data, personal information, date of birth, addresses, and insurance information.
- Perform the risk analysis. it’s important to identify the specific types of potential risks you face. Healthcare providers are prime targets because the electronically protected health information they possess is so richly detailed; that makes the information quite useful for people seeking unauthorized access. The goal here is to identify different risk levels. For example, data on protected servers inside your office are probably at lowest risk, while third-party vendors or other business associates with access to your systems are probably the highest.
- Determine the probability of the specific risk and its likely impact. What’s more likely: a cyber attack, or your building will get hit by a tsunami? Actuarial models can help you figure out the probability of specific risks, and a review of your technical safeguards, cybersecurity system, and data handling procedures should give you a good sense of which risks are most likely and most harmful. The impact of a potential risk should be measured not only in the financial damage it could inflict, but also the cost of remediation (see below) and the significant cost to your company’s image if you suffer a major data breach.
- Determine the cost of an appropriate solution. Your risk management plan should help you identify the appropriate level of security you should implement. For example, what is the worst-case scenario, and what is the associated cost of remediation? Clearly the company shouldn’t invest in expensive solutions for risks that pose little harm or are extremely rare; risk assessment should help you determine which solutions are worth the investment, given the probability and potential harm.
How do you develop a HIPAA risk assessment in healthcare and what should its scope be?
It may help to think of a HIPAA risk analysis as a HIPAA compliance audit. In that case, the first step is to take an in-depth look at your current system. Who handles protected health information (PHI)? Which systems does HIPAA data flow through, and are those systems secure enough? If you have added remote workers due to the pandemic, do a separate security risk assessment of the remote access process, VPN connections, and any hardware located off premises.
The scope of your HIPAA risk assessment is determined by the various phases of the “data lifecycle” as HIPAA data travels through your IT systems:
- How does your business receive PHI? It may come in many forms, such as faxes, text messages, emails, phone calls, and physical letters or files arriving via a delivery service or mail; it might also come directly from another provider’s database. (Make sure you have strong business associate agreements in place to govern such relationships.)
- How does PHI travel through your internal system? Once a piece of data is in your possession, determine exactly where it goes. This includes having a strictly monitored mail routine, protected servers and workstations, and clear policies around using electronic calendars or mobile devices. Make sure your information technology software is up to date.
- If you work with other business associates or third party contractors, how do you transfer PHI to them and how they receive it? For instance, do you have sufficient encryption to meet HIPAA standards, and have you appropriately enacted other security measures?
Once you’ve examined these areas and determined the lifecycle of data in your system, you may discover weak areas where a tougher audit—such as a HIPAA security risk analysis—is required, to expose all the potential threats to your data. And you will have a good sense of where and how PHI may leak from your system.
What should a HIPAA risk assessment template include, and what type of questions are required in a HIPAA risk assessment?
Guidance about how to construct a HIPAA risk assessment template is voluminous, and often confusing. One good place to start is with the HIPAA Security Risk Assessment (SRA) tool developed by the Office of the National Coordinator of Health and Information Technology (ONC) and the Office for Civil Rights. That tool is designed to help especially smaller and mid-size healthcare providers develop proper HIPAA compliant standards for securing electronic protected health information (ePHI).
According to the HIPAA SRA, your template should include questions such as, “Have you identified the e-PHI within your organization? What are external sources of e-PHI?” and “What are the human, natural, and environmental threats to the information system that contain the e-PHI?”
It may be helpful to develop or download a specific template, but remember that the final documentation for your compliance with the HIPAA security rule doesn’t have to be submitted in a specific format.
How often is a HIPAA risk assessment required?
To comply with both the HIPAA Privacy Rules and the HIPAA Security Rules, you should conduct a HIPAA risk assessment and review the findings annually. A new risk assessment report may be necessary if the lifecycle of data in your system changes, or if a business associate or third-party vendor changes its own data handling procedures. A HIPAA-compliant business should be able (at any time) to show that a current risk assessment report and to demonstrate that all appropriate safety measures have been taken.
Cybersecurity and compliance management tools
As you steer your business through the pandemic and our highly interdependent world, many tools can help keep your business safe, in compliance and your information secure.
ZenGRC’s compliance management, risk and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also easily identifies areas of high risk before that risk has manifested as a real threat.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.