The Security Rule of HIPAA requires that Covered Entities perform an information security risk analysis. Specifically, the requirement is to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic Protected Health Information (PHI) held by the covered entity.”
Once this is done, there is a requirement to perform a periodic review, to ensure that information systems security standards “continue to be met” in response to changes.
HIPAA Compliance is enforced by the Center for Medicare and Medicaid Services (CMS), specifically by the Office for Civil Rights (OCR). They take their job very seriously, as can be seen by their up—to-date list of enforcement actions.
Note that OCR enforces both the HIPAA Privacy and Security rules, and are particularly concerned with unauthorized access to PHI and violations of the right of access (withholding PHI from a patient).
HHS and OCR have both published a great deal of guidance and helpful info on the topics of HIPAA Security and Risk Analysis.
If you are conducting a risk analysis as part of the Merit-based Incentive Payment System (MIPS) program, they’ve got an excellent guide on that topic. (The Advancing Care Information category of MIPS replaces the Meaningful Use program). They’ve even developed their own assessment tool for small practices, although our clients find it hard to use and not very helpful.
Gluttons for punishment can download CMS’ own internal HIPAA security risk assessment template, which is only useful if you’re a large Federal organization such as CMS.
One last piece of advice: “HIPAA Certified” doesn’t exist, so be wary of anything that claims to be so.
Elements of a HIPAA Security Risk Assessment Template
There are a number of HIPAA risk assessment templates for you to choose from. You can even make your own HIPAA security risk assessment worksheet, though we don’t recommend it.
Whichever you select, it should have the following elements:
A Scope Definition
The risk analysis should take into account all of your ePHI, regardless of the electronic medium (desktop, tablet, server, smartphone, or the cloud) it’s located in, how or by whom it is created, received, transmitted, or used, and whether it’s in your EHR or elsewhere.
Be sure to list all the locations, physical and logical, where e-PHI is stored, received, maintained or transmitted.
A List of Threats and Vulnerabilities
Specifically, a list regarding the security of your practice’s ePHI. You should identify and document reasonably anticipated threats to e-PHI. “Reasonable anticipated” is not defined anywhere, but one rule of thumb is that if it won’t, or hasn’t, happened in twenty years it is not reasonable to anticipate it.
You should, however, identify the different threats that are unique to the circumstances of your environment. Along with the threats, you should also identify and document vulnerabilities which, if exploited by a threat, would create a risk to your e-PHI.
- Quick summary
- Vulnerabilities are either accidentally triggered or intentionally exploited, and could result in a security incident, such as theft or destruction of ePHI. Vulnerabilities can be both technical and nontechnical.
- Threats exploit vulnerabilities, and can be grouped into general categories such as natural, human and environmental (Tornado, hacker, and power outage, respectively).
Look at how your security measures protect you against the threats and vulnerabilities that you’ve identified.
You’ve got some security measures in place, but are they working as planned? And are you doing all the practices listed by the Section 405(d) Task Group? If you can’t be bothered to click, the practices are:
- Email protection systems
- Endpoint protection systems (i.e., anti-virus)
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management (i.e., patching)
- Incident response
- Medical device security
- Cybersecurity policies
Document the existing security measures and assess how well they are working at protecting you. Often, reviewing the existing security measures will help you identify areas for improvement.
Determine the likelihood a particular threat will occur and the impact such an occurrence would have on your ePHI. This is an art, not a science, and is best done with a combination of qualitative and quantitative methods.
At Techumen, we estimate likelihood using four factors:
- Any historical information that is available
- The threat’s motivation and capability
- The Nature of the vulnerability
- The effectiveness of current security controls
Impact is even more subjective; a serious impact to a solo provider wouldn’t even be noticed by Kaiser Permanente. Impacts can be operational, financial, clinical or reputational. However you estimate impacts for your organizations, make it as consistent as possible.
Determine and assign risk levels based on the likelihood and impact of a threat occurrence. Risk is typically expressed as a combination of likelihood and impact. For example, a High likelihood rating and a High impact rating will result in a High risk rating. There should be a risk level for all threat and vulnerability combinations identified during the risk analysis.
Review and update your risk analysis on a periodic basis. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. Do this at least annually or after a major change in your practice such as moving offices or switching EHRs.
[Free download of our Sample HIPAA security risk assessment for a small physician practice]
Risk Management – What Next?
Once you’re done with your risk assessment, you have to do something with the results.
To be more specific, the requirement for risk management is to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” A good start is to implement the administrative, physical and technical safeguards of the HIPAA Security Rule; but that’s only a start.
A security risk management checklist is not possible, since the devil is in the details. Instead, implement or improve the ten practices called out by the Section 405(d) Task Group. Beyond that, “what to do” depends on the risk, the existing controls, the practice’s financial and technical resources and other priorities.
Risk management is a comprehensive activity that requires many steps and a skilled eye for details.
Contact Techumen today for help managing your risks.