IntroductionRisk analysis is the most acute HIPAA compliance problem that the Department of Health and Human Services (HHS) for Office of Civil Rights (OCR) investigates. An inaccurate or incomplete analysis can lead to serious security breaches and steep monetary penalties. Show
But risk analysis can be difficult to implement, especially if your IT department doesn’t have the people or time to spare. The risk assessment template provided here can help you perform a complete and accurate audit of your ePHI security risks so you can put the appropriate mitigation measures in place. What is a HIPAA risk assessment?A HIPAA risk assessment helps organizations determine and evaluate threats to the security of electronic protected health information (ePHI), including the potential for unauthorized disclosure as required by the Privacy Rule. If your organization creates, receives, maintains, or transmits ePHI, even using a certified electronic health record (EHR) system, you must assess your security risks to ensure that you have taken the best steps possible to protect your ePHI. Once you identify those risks, you must implement administrative, physical, and technical safeguards to maintain compliance with the HIPAA Security Rule. As health care entities work to achieve compliance with HIPAA, risk analysis and risk management tools can be invaluable; they often enable you to protect the confidentiality, integrity, and availability of your ePHI more effectively and efficiently than you could with manual processes. Tailoring a risk assessment to your organizationHIPAA risk assessment requirements allow you to tailor the assessment to your organization’s environment and circumstances, including:
Implementation specifications: required versus addressableA HIPAA risk assessment will contain many implementation specifications, which are detailed instructions to satisfy a certain standard. Some are required, while others are addressable:
You cannot refuse to adopt an implementation specification based solely on cost. Key terminologyHere are definitions for terms common to HIPAA, adapted from NIST 800-30:
Steps in Risk AnalysisNIST 800-30 details the following steps for a HIPAA-compliant risk assessment: Step 1. Determine the scope of the analysis.A risk analysis considers all ePHI, regardless of the electronic medium used to create, receive, maintain or transmit the data, or the location of the data. It covers all reasonable risks and vulnerabilities to the confidentiality, integrity, and availability of your ePHI. Step 2. Gather complete and accurate information about ePHI use and disclosure.This process includes:
You may have already completed this step to comply with the HIPAA Privacy Rule, even though it was not directly required. Step 3. Identify potential threats and vulnerabilities.Look at the gathered data and consider what types of threats and vulnerabilities exist for each piece of information. Step 4. Assess your current security measures.Document the measures you have already implemented to mitigate risks to your ePHI. These measures can be technical or non-technical:
Then analyze whether the configuration and use of those security measures are appropriate. Step 5. Determine the likelihood of threat occurrence.Assess the probability that a threat will trigger or exploit a specific vulnerability. Consider each potential threat and vulnerability combination, and rate them according to the likelihood of an incident. Common rating methods include labeling each risk as High, Medium and Low, or providing a numeric weight expressing the likelihood of occurrence. Step 6. Determine the potential impact of threat occurrence.Consider the possible outcomes of each data threat, such as:
Estimate the impact of each outcome. Measures can be qualitative or quantitative. Document all reasonable impacts and the ratings associated with each outcome. Step 7. Determine the level of risk.Analyze the values assigned to the probability of each threat occurrence and the impact. Assign the risk level based on the average of the assigned probabilities and impact levels. Step 8. Identify appropriate security measures and finalize the documentation.Identify the possible security measures you could use to reduce each risk to a reasonable level. For each measure, consider:
Document all findings to complete your risk assessment. Below is a HIPAA risk assessment template with a description and an example for each section. This is a general template that you will need to adapt to your organization’s specific needs. All company and personal names used in this template are fictional and are used solely as examples. 1. IntroductionExplain the reason for the document. This document outlines the scope and approach of the risk assessment for Allied Health 4 U, Inc. (hereafter referred to as Allied Health 4 U). It includes the organization’s data inventory, threat and vulnerability determination, security measures, and risk assessment results. 1.1 PurposeState why you need a risk assessment. The purpose of the risk assessment is to identify areas of potential risk, assign responsibilities, characterize the risk mitigation activities and systems, and guide corrective action procedures to comply with the HIPAA Security Standard. 1.2 ScopeDocument the flow of patient data within your organization. Describe all system components, elements, field site locations, users (including use of a remote workforce) and any additional details about the EHR system. Document and define your IT systems, components and information, including removable media and portable computing devices. The scope of this document includes the technical, physical and administrative processes governing all ePHI received, created, maintained or transmitted by Allied Health 4 U. The goal is to assess and analyze the use of resources and controls, both planned and implemented, to eliminate, mitigate or manage the exploitation of vulnerabilities by internal and external threats to the electronic health records (EHR) system. Allied Health 4 U serves the needs of patients and practitioners at Medical City in Regency Park, IL. The related medical center provides the primary internet firewall and basic physical security for the facility. The organization provides all other technology and security needs for Allied Health 4 U, Inc. Allied Health 4 U uses laptops, tablets and desktop PCs to access patient ePHI. Remote access from outside Allied Health 4 U is strictly prohibited. Three servers are located in a locked server room with video surveillance enabled. 2. Risk Assessment ApproachDefine the methods you use to perform the risk assessment. Allied Health 4 U performs the risk assessment by inventorying all physical devices and electronic data created, received, maintained or transmitted by the organization; interviewing users and administrators of the EHR system; and analyzing system data to determine potential vulnerabilities and threats to the system. 2.1 ParticipantsIdentify the participants, such as all IT staff and management, responsible for or interacting with the EHR. Include a list of participants' names and roles, such as Chief Information Officer or Asset Owner. The ePHI security officer and the Risk Management Team are responsible for maintaining and executing the ePHI security risk analysis and risk management process for Allied Health 4 U.
2.2 Techniques Used to Gather InformationList the methods used to identify and inventory ePHI data, physical devices, processes and procedures. The following techniques are used to gather information for the risk assessment:
2.3 Development and Description of the Risk ScaleDescribe when risk assessments are performed, the risk-level matrix in use, how risks are determined, and a risk classification with at least three levels. Allied Health 4 U conducts risk assessments at the following times:
Use the following risk matrix to determine the scale of the risk:
Risk scale:
3. System CharacterizationIdentify the boundaries of the IT system under consideration and the resources and information making up the system. Characterization establishes risk assessment scope effort, shows the authorization or accreditation pathway, and provides information on connectivity, responsibility and support. The Allied Health 4 U EHR system is comprised of all laptops, desktops, tablets, servers and ePHI contained therein. 3.1 System-Related InformationProvide related information and a brief description of the processing environment.
3.2 System UsersDescribe who uses the system, including details on user location and level of access.
3.3 Data InventoryDocument all ePHI and where it is stored, received, maintained, or transmitted.
4. Threats and VulnerabilitiesList all credible threats and vulnerabilities to the system being assessed. Often, you can provide a brief description here and provide the detailed results in an appendix or a separate spreadsheet. 4.1 Threat IdentificationDevelop a catalog of reasonably anticipated threats. Your most significant concern is human threats from ex-employees, criminals, vendors, patients or anyone else with motivation, access and knowledge of the system.
4.2 Vulnerability IdentificationList all technical and non-technical system vulnerabilities that potential threats could trigger or exploit. Include incomplete or conflicting policies and procedures, insufficient safeguards (both physical and electronic), and other flaws or weaknesses in any part of the system. Allied Health 4 U identifies the following vulnerabilities:
4.3 Security MeasuresDocument and assess the effectiveness of all technical and non-technical controls that are currently or will be implemented to mitigate risk.
5. Risk Assessment ResultsDescribe the observations (the vulnerabilities and the threats that can trigger them), measure each risk, and offer recommendations for control implementation or corrective action. The detailed results are often better presented in an appendix or a separate spreadsheet.
6. Revision HistoryTrack all changes to your HIPAA risk assessment.
What questions are required in a risk assessment?7 Crucial Questions to Ask During a Security Risk Assessment. What Are Our Most Important Assets? ... . What Risks Do You See? ... . What Strategies Do You Suggest to Mitigate the Risks? ... . What Are the Strengths of Our Current Security System? ... . What Overall Solutions Are Necessary? ... . What Other Products Might We Need?. What is a HIPAA risk assessment?A risk assessment helps your organization ensure it is compliant with HIPAA's administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization's protected health information (PHI) could be at risk.
How do you conduct a security risk assessment for HIPAA?How to Conduct a HIPAA Risk Assessment. Step 1: Determine what PHI you have access to. ... . Step 2: Assess your current Security Measures. ... . Step 3: Identify where your organization is vulnerable and the likelihood of a threat. ... . Step 4: Determine your level of risk. ... . Step 5: Finalize your documentation.. What are the 4 steps of risk assessment?Step 1) Hazard Identification. After determining an area to study, IDEM samples the affected environment, analyzes the samples, and identifies chemicals that may contribute to increased risk. ... . Step 2) Exposure Assessment. ... . Step 3) Dose-Response Assessment. ... . Step 4) Risk Characterization.. |