As a company that handles protected health information (PHI), HIPAA requires you to analyze how you manage risks to your PHI. This is known as a security risk analysis (SRA). The U.S. Department of Health and Human Services says risk analyses are vital to HIPAA compliance. But how often do you need to conduct one, and what does an analysis involve?
What is a HIPAA Security Risk Analysis?
HIPAA says the following:
§164.308(a)(1)(ii)(A) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
The law seems broad and leaves room for interpretation. However, the first step towards understanding this requirement is to know truth from fiction. Let’s look at a few common myths about SRAs.
Myth: I only need to conduct an SRA once to comply with HIPAA.
Fact: Risk analyses aren’t a checkbox. HIPAA doesn’t set a specific schedule. However, you must conduct an initial SRA and regularly review and update your security measures. Furthermore, if you adopt a new technology, such as an electronic health record (EHR) system, you should complete a full security analysis to find any new risks.
Myth: My EHR takes care of privacy and security, so I don’t need to do an SRA.
Fact: The EHR doesn’t conduct a risk analysis for you. Though EHR vendors can help you use their product, they aren’t responsible for privacy and security compliance. Furthermore, an SRA involves all PHI at your organization, including data that isn’t housed in your EHR. Therefore, you can’t rely on vendors or a single system when it comes to your security risk analysis.
How to Do a Security Risk Analysis
SRAs can feel overwhelming, and you may be tempted to outsource it to vendors. However, vendors can’t help you with all your security efforts. Instead, follow widely-accepted best practices to help you with your security analysis.
Scope the assessment.
First, know why the risk analysis is needed. Is it a routine assessment or a response to a breach? Is there a new technology or system? Next, decide which systems or processes you will include in the analysis.
Next, you’ll need to know where PHI is created, maintained, received, or transmitted. Are there any remote employees or mobile devices holding PHI? What policies and procedures are in place to protect PHI, and do they work?
Find threats and vulnerabilities.
A threat is the potential for someone to exploit vulnerabilities – or weaknesses – in your systems. To combat these, have your IT team run a vulnerability scan to detect flaws that could leave your systems open to cyberattacks. Furthermore, threats and vulnerabilities can come from the physical work environment or from employees themselves. Therefore, make sure you take these into account. Then you’ll need to determine the likelihood of a threat exploiting a vulnerability (ex. A hacker discovering a security hole).
Assess security controls.
Next, ask yourself: are there policies for all of HIPAA’s security requirements, and do they work? Do you have physical controls to protect equipment that houses ePHI? Do you have technical controls to limit ePHI access to only authorized users? Then survey your staff members about how effective the policies, procedures, and controls are.
Next, consider what the overall risk to the privacy and security of your PHI is. Your risk is determined by the threats and vulnerabilities, as well as the policies, procedures, and controls in place to prevent security issues.
Create a plan.
Lastly, create a risk management plan based on what you find in your SRA. This plan should address all threats and vulnerabilities and the measures you will take to reduce risk to an acceptable level.
Risk analysis is only one step towards compliance. The HIPAAtrek platform enables you to implement and manage your entire HIPAA security program through self-assessment, policies and procedures, and training. Learn how HIPAAtrek can simplify your security compliance by requesting a demo or contacting us at firstname.lastname@example.org.
READ MORE: Myth vs. Fact: HIPAA-Compliant Communication