It is important for all organizations who handle PHI to prepare by performing a Risk Analysis to determine the risks to Protected Health Information (PHI) in their organization.  By doing so they can prepare to address any vulnerabilities.  The Security Rule provides guidance in this matter and should be addressed by all interested Privacy Officers.

The HIPAA Security rule requires all covered entities such as health plans, healthcare clearing houses and healthcare providers who electronically transmit PHI to implement safeguards.  In addition business associates must also apply the same security safeguards for the protection of PHI.

Office for Civil Rights Requirements

The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis. As a result, it requires covered entities to conduct an accurate and thorough assessment of its system. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization. This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI.

Office for Civil Rights

Name a Privacy/Security Officer

To effectively complete a HIPAA Risk assessment, an organization should first appoint a Privacy Officer/Security Officer to guide the process. It is the task of this officer to oversee the structure of the organization and identify the flow of information to get an overall picture of how protected health information may or may not be at risk. It will be important to use the HIPAA Privacy Rule as a guide in performing this task.  It is the task of the Privacy Officer to determine how PHI moves within an organization so as to conduct a gap analysis to identify where potential breaches may occur.

The Requirements under the Security Rule

The Administrative Safeguards in the Security Rule contain a Security Management Process Standard that requires organizations to do the following:

“Implement policies and procedures to prevent, detect, contain, and correct security violations.”

A risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. The rule states the following regarding a Risk Analysis:

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization.”

In accomplishing this task some issues that an organization may consider:

  • Identify the ePHI within your organization that you have created, maintained or transmitted.
  • Are there any external sources of ePHI created, received or maintained by vendors or consultants?
  • Are there human, natural and environmental threats to the information systems that contain ePHI?

Implementation Specifications

The Rule considers a Risk Analysis as a necessary tool in achieving HIPAA compliance. It requires the use of many standards and implementation specifications.

Within the Rule there are several implementation specifications that are labeled “addressable” and “required.” It is important to recognize that an addressable implementation specification is not an optional item. For example, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and find an equivalent measure, if it is reasonable and appropriate to do so. These addressable implementation specifications cannot simply be ignored.

The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate.

Based on the risk analysis an organization should use the information obtained to accomplish the following:

  • Design appropriate personnel screening processes
  • Identify what data to backup and how
  • Decide whether and how to use encryption
  • Address what data must be authenticated in particular situations to protect data integrity
  • Determine the appropriate manner of protecting health information transmissions

Important Definitions

These are terms one should know as they consider a HIPAA Security Risk Analysis. A complete understanding of these terms will help you to perform a complete Risk Analysis.

Availability means the property that data or information is accessible and useable upon demand by an authorized person.

Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.

Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.

Vulnerability is defined as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system’s security policy.

  • Vulnerabilities may result in security breaches and inappropriate access or disclosure of ePHI. .
  • Vulnerabilities may be grouped into two general categories, technical and non-technical.
  • Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.
  • Technical vulnerabilities may include holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.

A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” There are many threats that may occur within an operating environment or the information system an organization operates. Threats may be grouped into general categories such as natural, human, and environmental.

  • Examples of natural threats are floods, earthquakes, tornadoes, and landslides.
  • Human threats may include intentional or unintentional actions. Examples of the first would be network and computer-based attacks, malicious software upload, and unauthorized access to e-PHI. Unintentional actions may be inadvertent data entry or deletion and inaccurate data entry.
  • Environmental threats could be power failures, pollution, chemicals, and liquid leakage.

Risk is defined as the impact considering the possibility that a particular threat will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.

Risks arise from actions due to:

  • Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
  • Unintentional errors and omissions
  • IT disruptions due to natural or man- made disasters
  • Failure to exercise due care and diligence in the implementation and operation of the IT system.”

Risk can be understood as a function of the likelihood of a given threat triggering or exploiting a particular vulnerability, and the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

Elements of a Risk Analysis

There are numerous methods of performing risk analysis and there is no single method or “best practice” that guarantees compliance with the Security Rule.

There are several elements a risk analysis must incorporate, regardless of the method employed.

Identify all the potential risks and vulnerabilities affecting e-PHI in the system.

Scope of the Analysis

The scope of a risk analysis that the Security Rule includes are the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits.

Electronic Protected Health Information

Safeguard Computers

e-PHI may come in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.

Electronic media may also include a single workstation as well as complex networks connected between multiple locations. It is important for an organization’s risk analysis to consider all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.  In most situations an organization will want to use a specialist in Information Technology and the Security Rule to assist with this analysis.

Collect & Analyze the Data

Identify where PHI is stored, received, maintained or transmitted

An organization must identify where the e-PHI is stored, received, maintained or transmitted. A good way to gather important data is by reviewing past and/or existing projects, performing interviews, reviewing documentation or using other data gathering techniques. It is important to record all the data related to e-PHI that is gathered using these methods.

Identify and Document Potential Threats and Vulnerabilities

Organizations may identify different threats based on the circumstances of their particular environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.

Assess current security measures used to safeguard PHI and whether they are used properly

Organizations should assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly.

The security measures implemented to reduce risk will vary among organizations. There may be a great difference between the measures a small organization uses compared to those of a larger organization. The appropriate measures required to decrease the likelihood of risk to the confidentiality, availability and integrity of e-PHI will vary depending on the size of the organization.

Determine the Likelihood of Threat Occurrence

The Security Rule requires organizations to consider the probability of potential risks to e-PHI. The combination of this assessment and the list of threats will influence the determination of which threats require attention.

This evaluation will allow the documentation of all threat and vulnerability combinations. This will also include the likelihood they may impact the confidentiality, availability and integrity of e-PHI of an organization.

Determine the Potential Impact of Threat Occurrence

The Rule also requires the organization to determine the potential impact of a breach of PHI.

It is important to define the “criticality,” of potential risks to confidentiality, integrity, and availability of e-PHI. An organization must determine the impact resulting from a threat triggering or exploiting a specific vulnerability.

This process should result in the documentation of all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability and integrity of e-PHI within an organization.

Determine the Level of Risk

Organizations should categorize all threats and vulnerabilities which are identified by the risk analysis. This may be accomplished by the likelihood of a threat occurrence and the resulting impact to the organization.

The results of this analysis should include the assigned risk levels and a list of corrective actions to be performed to mitigate each risk.

Finalize Documentation of Risk Analysis

The Security Rule requires the risk analysis to be documented but does not require a specific format. When completed, the risk analysis should be included in the risk management process.

Periodic Review and Updates to the Risk Assessment

The risk analysis process should be ongoing. The Security Rule requires that an organization should conduct a continuous risk analysis to determine when updates are required. The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. This could be anywhere from annually to every three years depending on the size of the organization and the complexity of the system.

In order to address risks it is best to perform a risk analysis any time new technology and business operations are planned. This should be included within the ongoing management process.

If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed. In order for a covered entity to reduce the risk to ePHI it is essential to perform a risk analysis and adjust the risk management processes to address risk in a timely manner.

In Summary

A Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.  In some situations an organization may choose to start with a HIPAA Gap Analysis as it may give an overview of the existent risks to ePHI.  This will not replace the Risk Analysis as it gives only a limited assessment of risk but remains a good starting point on the road to compliance.

To achieve the objectives of a HIPAA Risk Analysis, the HHS-OCR recommends the following:

  • Identify where PHI is stored, received, maintained or transmitted.
  • Identify and document potential threats and vulnerabilities.
  • Assess current security measures used to safeguard PHI.
  • Assess whether the current security measures are used properly.
  • Determine the likelihood of a “reasonably anticipated” threat.
  • Determine the potential impact of a breach of PHI.
  • Assign risk levels for vulnerability and impact combinations.
  • Document the assessment and take action where necessary.

Our information comes directly form the United States Department of Health and Human Services.  Please check our source.

Understanding a HIPAA Gap Analysis

The HIPAA Rule does not require a HIPAA Gap Analysis but it can be helpful in understanding the risks in you organization.  The Gap Analysis is usually a limited evaluation of a covered entity or business associate’s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA.  The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.

Gap Analysis Insufficient for Security Rule

A Gap Analysis does not satisfy the Security Risk Analysis requirement. It does not provide an accurate and thorough analysis of the threats and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits. Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified by 45 C.F.R. 164.308(a)(ii)(A). A Gap Analysis may be a starting point to determine the risks involved in your organization.

Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis. Assure that the vendor you engage is qualified to perform the specific type of analysis that you need.