The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a security risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information (ePHI). A security risk analysis, however, is not the same as a security risk assessment.
A risk assessment is an assessment of all the potential risks to an organization’s ability to do business. These include project risks, function risks, enterprise risks, inherent risks, and control risks.
In the risk analysis phase, a company examines each identified risk and assigns it a score using one of two types of the scoring system: quantitative or qualitative. These scores let the company prioritize its risks and define its high risks so that the organization can determine which risks it can avoid or mitigate and which risks it can ignore or accept.
Quantitative scoring assigns specific dollar amounts to the risk factors under consideration. Qualitative scoring is less specific and more subjective and uses a risk assessment matrix.
Covered entities that must conduct a risk analysis are health plans, health care clearinghouses, and health care providers that submit HIPAA transactions, such as claims, electronically. In addition, every provider that wants to receive electronic health records (EHR) incentive payments must conduct a risk analysis.
The risk analysis should examine the risks specific to the covered entity’s business. For example, how does the covered entity store patient electronic protected health? Does the covered entity store the ePHI on an EHR system in its office or on an Internet-based system? This is important because the potential risks are different for each scenario.
A covered entity’s risk analysis may also determine that it needs to update its system software, review and modify security policies, change the workflow processes or storage methods, schedule additional training for employees, or take other necessary corrective action to remove any potential threats.
A risk analysis helps covered entities ensure that they comply with HIPAA’s administrative, physical, and technical security measures. A risk analysis also helps a covered entity identify areas where its electronic protected health information may be at risk.
Once a covered entity has completed the risk analysis, it must take any additional “reasonable and appropriate” steps to reduce the risks it has identified to reasonable and appropriate levels.
Conducting a security risk analysis to meet the standards of the HIPAA Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. Under the programs, a covered entity must conduct or review a security risk analysis for each EHR reporting period to ensure the privacy and security of its patients’ ePHI.
A covered entity should:
- Perform the full security risk analysis as it adopts an EHR.
- Perform the full security risk analysis every year or when there are changes to the covered entity’s practice or electronic systems.
- Review and update the previous security risk analysis for changes in risks.
Although there is no best practice that guarantees compliance, most risk analysis, and risk management processes have similar steps. The following are steps a covered entity should consider as it conducts its risk analysis:
- Define the scope of the risk analysis and collect data regarding the ePHI that pertains to the defined scope of the risk analysis.
- Identify potential security threats and vulnerabilities to patient privacy and to the security of the covered entity’s ePHI.
- Assess how effective the implemented security measures are when it comes to protecting against the potential threats and vulnerabilities that the risk analysis has identified.
- Determine the likelihood that a particular threat will happen and its impact on the confidentiality, integrity, and availability of the electronically protected health information.
- Identify and assign risk levels based on the likelihood that a potential threat will occur and the impact of that potential threat if it happens.
- Prioritize the remediation or mitigation of identified risks based on how much they will affect the covered entity’s patients and practice.
- Document the risk analysis. Include information from the above steps as well as the results of the risk analysis.
- Review and update the risk analysis periodically.
Once the covered entity has completed these steps, it should create an action plan to implement the appropriate security measures to protect the confidentiality, integrity, and availability of its electronic protected health information.
The action plan will involve a review of the risks to the covered entity’s electronic protected health information that have been identified in its risk analysis so it can correct any processes that put its patients’ electronic protected health information at risk.