What You Need to Know About HIPAA Risk Assessments
The Health Insurance Portability and Accountability Act (HIPAA) describes how organizations that store, process, maintain, or transmit Personal Health Information (PHI) must handle this sensitive information.
HIPAA is comprised of the Privacy Rule, the Security Rule, and the Breach Notification Rule which collectively mandate how patient privacy should be ensured and how the sensitive health data should be protected.
One component of HIPAA is the requirement for organizations to regularly perform risk assessments regarding their management of PHI and take action to correct any issues that may cause exposure of sensitive data.
Why Do I Need a HIPAA Risk Assessment?
Risk assessments are a necessary part of maintaining compliance with the HIPAA Privacy and Security rules. HIPAA outlines a set of minimum requirements for protecting the privacy and security of Personal Health Information (PHI).
The Office for Civil Rights (OCR) oversees HIPAA compliance. The OCR has begun issuing fines for potential breaches of PHI where an OCR audit identifies security weaknesses that could lead to a breach but have not yet been discovered or exploited by an attacker.
These fines have been issued if an organization has failed to perform a risk assessment or if the risk assessment performed overlooked these vulnerabilities.
This is why it’s important to conduct a thorough risk assessment performed by an informed and reputable professional.
Even if an organization is not a Covered Entity, as defined by HIPAA, it may be subject to HIPAA regulations. Any organization that stores, processes, or transmits PHI is subject to HIPAA regulations, including business associates, consultants, and vendors.
If you are unsure if the data processed by your organization qualifies as PHI and is therefore protected by HIPAA, reach out for a consultation.
Understanding HIPAA Risk Assessments
When conducting a HIPAA Risk Assessment, you must consider the requirements within the Privacy, Security, and Breach Notification Rules. Here is an explanation for each:
Privacy Rule Intent and Considerations
The HIPAA Privacy Rule identifies the ways that PHI moves through and is stored within an organization and identifies potential ways by which this information could be revealed to unauthorized parties.
HIPAA specifies seven criteria for a risk assessment that complies with the requirements of the Privacy Rule1. In order to comply with the Privacy Rule a risk assessment should investigate how the following are managed within an organization:
- Notice of privacy policies for PHI
- Rights to request privacy protection for PHI
- Access of individuals to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures
While performing a HIPAA risk assessment, it is important for the Privacy Officer to consider all uses of PHI within the organization and how both intentional and unintentional data flows may affect the privacy of patient information.
Security Rule Intent and Considerations
The HIPAA Security Rule establishes a national set of security standards for protecting health information that is possessed or transmitted in electronic form (referred to as ePHI). The Security Rule does not dictate how organizations implement their security controls, but requires them to consider the following as it pertains to their business:
- Size, complexity, and capabilities
- Technical, hardware, and software infrastructure
- Costs of security measures
- Likelihood and potential impact of risks to ePHI
Affected entities range from the smallest provider to the largest multi-state health plan. Therefore, the Security Rule allows consideration in the most reasonable and appropriate application of security controls. This depends on the organization’s size and resources.
That being said, no matter how small the practice, doing nothing is not an option.
Breach Notification Rule Intent and Considerations
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information3. The HHS defines a breach as the impermissible use or disclosure under the Privacy Rule that compromises the security and privacy of said PHI.
Following a breach, covered entities must provide notification to affected individuals, the Secretary, and, in certain cases, the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Notification requirements are governed by the number of records. Breaches of 500 or more individuals require immediate notification to the Secretary and a media outlet. Any breach requires notification of the affected individuals.
To see a list of breaches since the inception of the Rule, check out the HHS Wall of Shame.
Performing a HIPAA Risk Assessment
HHS provides resources for determining if your organization is compliant with HIPAA regulations. The Security Risk Assessment tool provides questions designed to help an organization identify the shortcomings in their security policy.
HHS also publishes an audit protocol that describes the requirements that must be met to comply with the Privacy and Security Rule.
The main difficulty in performing a HIPAA risk assessment in-house is the number and detail of the requirements that must be fulfilled for HIPAA compliance. While these tools can help with identifying shortcomings, they do not help with designing and tailoring a remediation strategy to meet an organization’s specific needs.
Sword & Shield has a team of HIPAA experts who are experienced in performing HIPAA risk assessments and designing and implementing mitigation strategies to correct identified vulnerabilities. If the HIPAA regulations apply to your organization, reach out to find out how Sword & Shield can help protect you from being fined for HIPAA non-compliance.
Read about how Sword & Shield helped a software development company achieve HIPAA compliance. Download the case study!