A Foolproof Guide
Understanding HIPAA Risk Analysis
Any individual, organization, or agency that “creates, stores, transmits or maintains PHI” must comply with the necessary requirements to protect the security and privacy of patient health information. They must also guarantee certain rights regarding patients’ personal records.
In other words, if your business comes into contact with any patient health information, you are required to adhere to HIPAA guidelines and regulations. According to the rules, this also means that you must conduct a risk analysis or assessment.
What is a Risk Analysis?
The Administrative Safeguards provision in the HIPAA Security Rule requires any organization that is considered a “covered entity” to perform a risk analysis, which helps organizations identify weaknesses, recognize the need for stronger security measures, and implement better protocol.
While all risk analyses are different, the HHS requires certain steps to be completed when one is conducted. Several frameworks have been developed, including the relatively new NIST Cybersecurity Framework (CSF), to guide a risk analysis, but all have the same premise, which is to identify the critical business drivers and evaluate and address the risk to those assets.
Key Steps in a Risk Analysis
In order to point you in the right direction and enhance your chances of conducting a thorough and effective risk analysis, let’s review some important steps your organization needs to take.
Get Everyone On Board
The first step is to get everyone on board with the risk assessment. If you want it to be comprehensive and thorough, you can’t afford to leave anyone out. Everyone from doctors and nurses to IT professionals and administrators needs to understand what’s happening.
“A Risk Analysis is not an IT 'project.' If it relegated to a single individual or department to complete, the results and impacts will not be understood by those that are most affected." Says Rich Curtiss, an expert in the field and one of Clearwater's principal consultants. "It is an organizational responsibility and requires multiple stakeholder involvement to be successful. Critical to the success is the participation by key operational personnel within the organization. The IT infrastructure lies unseen and nebulous to most operational professionals but when they start seeing the impact of potential, inappropriate use of IT assets and procedures, it makes an impact. Stakeholders should include the Board of Directors, C-Suite, Medical Staff Services, Compliance, Audit, Physical Security, Cybersecurity, IT and Supply Chain."
Once you’ve identified the correct stakeholders you can move forward with the assessment and begin focusing on how you can run the most effective and complete analysis possible.
Identify the Scope
The second step is to identify the scope of the assessment with those involved. Take into account all electronic patient health information your organization develops, sends, receives, or otherwise maintains. Any aspect of your organization that touches health information needs to be included in the scope of the assessment.
Gather All Data
The third step requires you to gather all relevant data, records, files, and information. If you’ve adequately identified the scope and noted all areas of your organization that are involved with electronic patient health information, this step is much easier.
Gathering information will look different in every situation but typically involves manually downloading files, conducting interviews, and consolidating information from various sources. You’ll also find it helpful to go ahead and classify this data as you’re gathering it. When conducting steps four and five, it’s helpful to know whether or not any information is public, confidential, or highly confidential.
Assess Current Security Measures
Now it’s time to assess the current security and privacy measures you have in place, which will be different in every organization, but refers to both technical and nontechnical measures. Technical security measures are such things as login requirements, data encryption methods, and audit controls. Nontechnical security measures include company policies and procedures, physical security measures, and patient interaction guidelines.
Identify Risks and Determine Impact
The next step requires you to identify potential pitfalls and risks and then determine the impact these threats could have on your organization. In other words, you need to understand which threats your organization is exposed to and how significant of an impact they could have if brought to fruition. During this step, you should also determine the likelihood of a threat occurring.
Document Absolutely Everything
The next step requires you to identify potential pitfalls and risks and then determine the impact these threats could have on your organization. In other words, you need to understand which threats your organization is exposed to and how significant of an impact they could have if they do happen. During this step, you should also determine the likelihood of a threat occurring.
Simply conducting a risk analysis isn’t enough. If you want to protect your organization, adhere to HIPAA guidelines, and safeguard private information, you need to continually reevaluate your organization and the potential risks it faces. Circumstances change over time and it’s up to you to stay on top of what’s happening in and around your organization.
Be Confident That Your Risk Analysis Is “By-The-Book."
How would you fare in an OCR audit or investigation? Are you struggling to find guidance, tools and methodology to conduct your HIPAA risk analysis?
Clearwater's IRM|Analysis™ is an easy to use, comprehensive HIPAA risk analysis software platform that provides a complete approach and methodology to help your organization to meet HIPAA and Meaningful Use requirements. It strictly follows the HHS/OCR guidance given for Security Risk Analysis and harnesses the power of the NIST risk assessment processes.