HIPAA Risk Assessment
Under the HIPAA Security Rule, covered entities and business associates must perform a HIPAA Risk Assessment. This risk assessment is referred to by several names, including “Security Rule Risk Assessment,” “Security Rule Risk Analysis,” “Security Risk Assessment,” or “Security Risk Analysis.”
What is the Purpose of a HIPAA Risk Assessment?
A HIPAA risk assessment is required by the HIPAA Security Rule. The HIPAA Security Rule requires that covered entities (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a HIPAA-covered transaction), and business associates, implement security safeguards. These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. Performing the security risk analysis is the first step in identifying and implementing these safeguards.
What are the Elements of a HIPAA Security Rule Risk Assessment?
A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
There are six steps to the security risk analysis:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk to ePHI
What Must be Done Before Conducting the HIPAA Security Risk Analysis?
Before undertaking these steps, the covered entity or business associate should determine the scope of the risk analysis to be performed. The scope of the analysis must cover the potential risks and vulnerabilities to the confidentiality, availability, or integrity of all ePHI that a covered entity creates, receives, maintains, or transmits. This includes ePHI in all forms of electronic media. Electronic media is defined as:
(1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example:
- The Internet;
- The Extranet (using internet technology to link a business with information accessible only to collaborating parties);
- Leased lines;
- Dial-up lines;
- Private networks; and
- The physical movement of removable/transportable electronic storage media.
Element 1: Collecting Data
To begin the security risk analysis, an organization must identify where its ePHI is stored, received, maintained, or transmitted. A covered entity or business associate may do this in several ways, which include:
- Reviewing past or existing projects
- Performing interviews
- Reviewing documentation.
The data gathered during this identification process must be documented.
Element 2: Identifying and Documenting Potential Threats and Vulnerabilities
Next, the covered entity or business associate must then identify and document threats to ePHI that are reasonably anticipated. Organizations must also identify and document vulnerabilities, which, if triggered or exploited by a threat, would create a risk of improper access to, or disclosure of, ePHI.
Element 3: Assessing Current Security Measures
This step of the HIPAA risk assessment requires covered entities and business associates to address their “state of security.” This consists of:
- Covered entities’ and business associates’ documenting the security measures they currently use to safeguard ePHI.
- Covered entities’ and business associates’ assessing and documenting whether the security measures required by the Security Rule are already in place.
- Covered entities’ and business associates’ assessing and documenting whether their current security measures properly configured and used.
Element 4: Determining the Likelihood of Threat Occurrence
Covered entities and business associates must next assess the likelihood of potential risks to electronic protected health information. The results of this assessment, combined with the list of threats identified in element 2, above, will reveal what threats the covered entity or business associate should regard “reasonably anticipated.”
Element 5: Determining the Potential Impact of Threat Occurrence
After the covered entity or business associate determines the likelihood of threat occurrence, it must then, as part of the HIPAA risk assessment, assess the impact of potential threats to confidentiality, integrity, and availability of ePHI.
This assessment is performed by evaluating the severity of the impact resulting from a threat that triggers or exploits a vulnerability. The evaluation should be documented.
A useful way to document Impact severity, is by describing the severity numerically (i.e., assigning a number to how severe an impact is, on a scale of 1 to 10, with 10 being “most severe”).
Security Risk Analysis Element 6: Determining the Level of Risk
The final risk analysis step of the HIPAA risk assessment consists of determining the level of risk. The level of risk is determined by evaluating ALL threat likelihood and threat impact combinations identified in the risk analysis to this point.
The level of risk is highest when a threat:
1) is likely to occur; AND
2) will have a significant or severe impact on an organization.
For example, if an organization’s network is completely unsecured, and that network stores all of the organization’s ePHI, there is a high level of risk both that:
- A threat will occur; and
- The occurrence of the threat may have a severe impact on the organization.
When threat likelihood and severity are both high, the level of risk should be classified as “high.” Conversely, if there is a low risk of a threat occurring, AND the threat’s occurrence will have little to no impact on the organization, the level of risk is relatively low.
Once the organization has assigned risk levels, it should document those levels, and document what corrective actions are needed for each level.
Finally, once all six elements have been addressed, all documentation should be finalized. In addition, the security risk analysis should be periodically reviewed, and updated, as needed.
What Are the Potential Consequences of Not Conducting the Security Rule Risk Assessment?
A covered entity or business associate that fails to conduct the security risk assessment is in violation of the HIPAA Security Rule. In addition, by failing to conduct the assessment, the entity is allowing risks to persist. These risks can be exploited by hackers or other cyberattackers, with the result being an impermissible disclosure of ePHI.
Security Rule Risk Assessments are on the radar of the Department of Health and Human Services’ (DHHS) Office for Civil Rights (OCR), which enforces the HIPAA rules through audits, investigations, fines, and ordering of corrective actions.
During investigations of data breaches, OCR examines which HIPAA compliance failures played a part in causing the breach. One common compliance failure that causes data breaches, is the failure to conduct a thorough risk analysis. OCR has frequently entered into settlements (also known as “resolution agreements”) in which a monetary penalty is assessed; a high percentage of such agreements indicate that failure to conduct a risk analysis is a main reason for imposing a monetary penalty.