At this point, it’s old news that the HIPAA Security Rule requires you to conduct a risk analysis to thoroughly assess “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” under your watch. However, many organizations get off on the wrong foot almost immediately by inadequately executing a critical first step in the process.
Consider for a moment that you’re planning to make a big holiday meal for your extended family. You have numerous dishes to prepare and hours of hard work in the kitchen ahead of you. What is the most important first step you should take to ensure you serve up a feast and not a failure?
For those who are challenged in the kitchen, here’s your answer!
First, you need to conduct an inventory of your pantry and fridge so that you know what you have and what you need to purchase in order to cook.
The Importance of Identifying Your Assets
Taking stock of your information assets is just important as a chef taking stock of ingredients. To a different end for sure, but the point remains, how can you expect to develop a comprehensive and effective risk management strategy if you don’t have a thorough understanding of all the moving parts, all the individual assets, all the nooks and crannies where information might be hiding?
Having a detailed inventory of all assets is the first step toward a smart risk analysis and risk management program. A great case in point is the Affinity Health Plan settlement with the U.S. Department of Health and Human Services (HHS) that occurred earlier this year. Affinity Health Plan, Inc. was cited with potential violations of the HIPAA Privacy and Security Rules for $1,215,780 after an investigation indicated that Affinity “impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives.”
Were you aware, prior to this breach, that copier machines had hard drives? It’s clear that health data sources are looming everywhere. That’s why it is so necessary to complete an asset information inventory that looks for anything that creates, receives, maintains, or transmits protected health information.
Think about where all of your information exists, places such as paper records, voice mails, electronic records on fax machines. Many times breaches occur from a source or asset that organizations didn’t even realize contained sensitive information.
With all of this in mind, you need an exhaustive listing of possible locations of protected health information. You must stimulate your thinking about where your data could be hiding. It’s a bit of a commitment, but there’s no substitute for getting this step right. Failure to do so will leave you with a half-cooked strategy for information risk management and ultimately, a bad taste in your organization’s mouth.
Want to learn more about information risk analysis and management?
Here are some helpful resources from Clearwater Compliance:
- Jumpstart your efforts by attending a Clearwater Information Risk Management BootCampTM.
- Sign up for one of our complimentary best practices webinars with industry experts.
- Subscribe to our newsletter for a robust summary of the latest information risk management news.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016