Nine (9) essential elements of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. The first one addresses the scope of the analysis; that is, what information assets should be included in the review. Then the question arises: how should I inventory and document these assets? Here’s today’s big tip – Take advantage of the time investment and document thoroughly. Learn the guidance; Here’s how…
Scope of the Analysis
The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.
An organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).)
Information Asset Inventory
First, think of an “information asset” as any software, hardware, network or computing component that creates, receives, maintains, or transmits ePHI. For example, the asset may be an electronic medical record system, an email system, a laptop computer, a PDA, etc.
The Asset Inventory step and the resulting completed inventory form the basis of completing your Risk Analysis for each individual asset identified in this step. Information assets identified here are then subjected to a detailed risk analysis either one-by-one or by class of asset (e.g., all the laptops that store ePHI). Additionally, creating complete documentation here can come in handy in the event of a security incident that may indeed be determined to be a breach.
Recommended Information Asset Inventory Documentation
For each information asset (database, major hardware, network equipment, operating system, and application software) we suggest gathering and documenting the following information in a spreadsheet, database or asset inventory system.
- Information Asset / Application / Database Name Containing ePHI – provide a name for the information asset, application or database containing ePHI. This may be an acronym or a few words that describe a computer system through which data is created, received, maintained or transmitted to support a business function.
- Information Asset Owner – indicate the name and/or title of the individual who is ultimately responsible for the confidentiality, integrity and availability of this information asset or ePHI.
- Description of Information Asset / Application / Database Name Containing ePHI – describe the type of ePHI, including how it is collected or received, who has appropriate access to it, to whom it may be transmitted, the types of date elements beyond ePHI that may be located here.
- Location of ePHI – indicate in the columns shown by making an “X”, on what types of devices or media is the ePHI created, received, maintained or transmitted. For example, network server, desktop, laptop, backup media, etc,
- ePHI Data Source – Describe the source of the data as specifically as possible; e.g., created internally, received from other department, from an external business associate, vendor, etc).
- ePHI Data Sharing – Describe any other entities with whom the data is shared; (e.g., other department, with an external business associate, another covered entity, subcontractor, vendor, etc).
- Business Processes Supported – Describe the key business process supported or enabled by this information asset (e.g., patient treatment, patient billing, healthcare operations, communications, etc.)
- Asset Importance to Business – Using a simple High (H), Medium (M), Low (L), characterize the asset’s or ePHI’s criticality to the business thinking in terms of how its loss or unavailability would affect the business.
- Estimated Number of Records – Estimate the volume of data based on the subject of the data (i.e. number of patients, claims records, plan members, employees, research subjects, etc).
- Planned Risk Analysis Completion Date – For each inventory item, a risk analysis will be completed. Indicate the month and year when that analysis will be completed.
The information gathered in these inventory data elementswill help inform and guide the risk analysis steps that follow. Such an inventory should encompass all information assets, wherever they are located.
As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. (July 2010). We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017