by Yenny (SU)

The Department of Health and Human Services (HHS) requires all Covered Entities and Business Associates handling protected health information to conduct a risk analysis as the first step toward implemented safeguards specified in The HIPAA (Health Insurance Portability and Accountability Act) Security Rule, and actively maintaining HIPAA compliance.

At first glance, it may seem like a daunting task. But it’s a necessary one that can help protect your practice from costly violations while – more importantly – protecting your patients’ privacy and personal security.

Nine Key Components

There are numerous methods of performing risk analysis and there is no single method or “best practice” that guarantees compliance with the Security Rule.

However, the HHS Security Standards Guide outlines nine mandatory components of a risk analysis that healthcare organizations and healthcare-related organizations that store or transmit electronic protected health information (ePHI) must include in their document:

Ø  Scope of the Analysis – This addresses any potential risks and vulnerabilities to the privacy, availability, and integrity of ePHI. It includes all electronic media your organization uses to create, receive, maintain or transmit ePHI such as portable media, desktops, and networks. Network security between multiple locations is also important to include, and may include aspects of your HIPAA hosting terms with a third party or business associate.

Ø  Data Collection – This focuses on where the ePHI goes. You need to locate where data is being stored, received, maintained, or transmitted. If you’re hosting at a HIPAA compliant data center, you’ll need to contact your hosting provider to document where and how your data is stored. 

Ø  Potential Threats and Vulnerabilities – Identify and document sensitive data and any vulnerabilities that may lead to the leaking of ePHI. By anticipating any potential HIPAA violations, you can help your organization reach a resolution swiftly and effectively.

Ø  Current Security Measures – Assess the kind of security measures you’re taking to protect your data. This might include any encryption, two-factor authentication, or other security methods out in place by your HIPAA hosting provider.

Ø  Likelihood of Threat Occurrence – Determine the probability of potential risks to ePHI. This assessment allows for estimates on the likelihood of ePHI breaches.

Ø  Potential Impact of Threat Occurrence – Use qualitative or quantitative methods to assess the maximum impact of a data threat to your organization. Question how many people could be affected and to what extent private data – medical records or both health information and billing information --could be exposed.

Ø  Determine the Level of Risk – HHS suggest taking the average of the assigned likelihood and impact levels to determine the level of risk. Documented risk levels should be accompanied by a list of corrective actions that can be performed to mitigate risk.

Ø  Documentation Finalization – Compile everything in an organized document. Any format will suffice as long as the analysis is in writing.

Ø  Periodic Review and Updates to the Risk Assessment – One requirement is that the risk analysis process be conducted on a regular, ongoing basis. The Security Rule doesn’t set a required timeline, but HHS recommends that organizations conduct another risk analysis whenever your company implements or plans to adopt new technology or business operations. This could include switching your data storage methods from managed servers to cloud computing, and updating after any ownership or key staff turnover.

We Can Help

Performing a risk analysis is a complex process. The HIPAA compliance experts at Colington Consulting have conducted numerous compliance assessments.  You can benefit from their expertise in knowing what is reasonable and appropriate for your organization. They understand the field of HIPAA rules and procedures and can help you avoid problems and steep fines by helping your organization maintain complete HIPAA compliance. It is what they do best, allowing you to do what you do best … provide health care to your patients. Contact Colington Consulting today at 800-773-6379.