To comply with the HIPAA Security Rule, Covered Entities and Business Associates are required (45 CFR § 164.306) to conduct a risk assessment to determine the threats to the security of their ePHI and then implement measures to protect against these threats and prevent the disclosure of information that is not permitted by the Privacy Rule. Entries that have not performed a Risk Assessment and then suffered a breach, have paid as much as $1.5 million in fines.
A risk assessment should be tailored to the covered entity’s own circumstances and operating environment. HHS OCR releaded guidance for a Risk Assessment and has included 9 items to include.
1. Scope of analysis
A Covered Entity or Business Associate should account for potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits in any form and/or location.
2. Data collection
Identify where the ePHI is stored, received, and maintained by reviewing past and/or existing projects
3. Identify and document potential threats and vulnerabilities
Identify and document reasonably anticipated threats to ePHI and vulnerabilities which, if exploited, would result in disclosure of ePHI.
4. Assess current security measures
Assess and document the security measures an organization uses to safeguard ePHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly to address the threat or vulnerability.
5. Determine the likelihood of threat occurrence
Consider the probability of potential risks to ePHI and document all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability, and integrity of ePHI of an organization.
6. Determine the potential impact of threat occurrence
Assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability and document all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability, and integrity of ePHI within an organization.
7. Determine the level of risk
Assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and the resulting impact of threat occurrence. Document assigned risk levels and a list of corrective actions to be performed to mitigate each risk level.
8. Update documentation
Risk Assessments are required to be documented. In addition, any remediation that was performed to address the items uncovered in the Risk Assessment should also be documented.
9. Periodic review and updates to the risk analysis
Ideally, an entity should perform ongoing analysis to identify any new issues that might have arisen. While the Security Rule does not specify how frequently to perform a risk analysis, compliance rests entirely on the entity. Often is better to address issues that the entity may not be aware of.
HHS has made it clear that cost alone is not a sufficient basis for refusing to adopt a standard or an addressable implementation specification.
In addition, if you are attesting under MIPS, a Risk Assessment is also required. Some entities have attested without having a Risk Assessment in place and suffered large fines.
For more information on risk analysis, please head over to U.S. Department of Health & Human Services.
If you would like more information on how Iron Comet can help you with your own HIPAA Risk Assessment, please contact us at 770-506-4383.