Nine (9) essential elements  of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  The first one addresses the scope of the analysis; that is, what information assets should be included in the review.   Then the question arises: how should I inventory and document these assets?  Here’s today’s big tip – Take advantage of the time investment and document thoroughly.  Learn the guidance; Here’s how…

Excerpts from Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Scope of the Analysis

The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.

Data Collection

An organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).)

Information Asset Inventory

First, think of an “information asset” as any software, hardware, network or computing component that creates, receives, maintains, or transmits ePHI.  For example, the asset may be an electronic medical record system, an email system, a laptop computer, a PDA, etc.

The Asset Inventory step and the resulting completed inventory form the basis of completing your Risk Analysis for each individual asset identified in this step.  Information assets identified here are then subjected to a detailed risk analysis either one-by-one or by class of asset (e.g., all the laptops that store ePHI).  Additionally, creating complete documentation here can come in handy in the event of a security incident that may indeed be determined to be a breach.

Recommended Information Asset Inventory Documentation

For each information asset (database, major hardware, network equipment, operating system, and application software) we suggest gathering and documenting the following information in a spreadsheet, database or asset inventory system.

  • Information Asset / Application / Database Name Containing ePHI – provide a name for the information asset, application or database containing ePHI. This may be an acronym or a few words that describe a computer system through which data is created, received, maintained or transmitted to support a business function.
  • Information Asset Owner – indicate the name and/or title of the individual who is ultimately responsible for the confidentiality, integrity and availability of this information asset or ePHI.
  • Description of Information Asset / Application / Database Name Containing ePHI – describe the type of ePHI, including how it is collected or received, who has appropriate access to it, to whom it may be transmitted, the types of date elements beyond ePHI that may be located here.
  • Location of ePHI – indicate in the columns shown by making an “X”, on what types of devices or media is the ePHI created, received, maintained or transmitted.  For example, network server, desktop, laptop, backup media, etc,
  • ePHI Data Source – Describe the source of the data as specifically as possible; e.g., created internally, received from other department, from an external business associate, vendor, etc).
  • ePHI Data Sharing – Describe any other entities with whom the data is shared; (e.g., other department, with an external business associate, another covered entity, subcontractor, vendor, etc).
  • Business Processes Supported – Describe the key business process supported or enabled by this information asset (e.g., patient treatment, patient billing, healthcare operations, communications, etc.)
  • Asset Importance to Business – Using a simple High (H), Medium (M), Low (L), characterize the asset’s or ePHI’s criticality to the business thinking in terms of how its loss or unavailability would affect the business.
  • Estimated Number of Records – Estimate the volume of data based on the subject of the data (i.e. number of patients, claims records, plan members, employees, research subjects, etc).
  • Planned Risk Analysis Completion Date – For each inventory item, a risk analysis will be completed.  Indicate the month and year when that analysis will be completed.

The information gathered in these inventory data elementswill help inform and guide the risk analysis steps that follow.  Such an inventory should encompass all information assets, wherever they are located.

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Make a Plan and CommitHIPAA Security Risk Analysis Tips – Make it a Team Sport >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.