HIPAA Risk Assessment and Remediation
Credit card data is typically the first thing people think of when they hear about a data breach. While losing your financial information is certainly a serious concern, healthcare and other personal data are just as important. According to HIPAA, all such data, including credit cards, is considered Protected Health Information (PHI) and any organization that collects such data is required to keep it as secure as possible.
Though the possibility for sensitive data loss varies from company to company, performing a HIPAA risk analysis allows any organization to identify weak spots and begin making plans to ensure data security.
Why HIPAA Risk Assessments are Necessary
The Department of Health & Human Services (HHS) requires all organizations it covers to conduct a HIPAA security risk analysis. By performing this HIPAA security assessment, an organization can ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards and other requirements. Some of these safeguards and requirements include:
- Assigned security responsibility
- Information access management
- Security incident procedures
- Facility access controls
- Device and media controls
- Audit controls
- Person or entity authentication
- Requirements for Group Health plans
- Policies, procedures, and documentation requirements
The full list of HHS security standards, including detailed safeguards and requirements, can be viewed on here.
Through performing a HIPAA security assessment, organizations can identify gaps in compliance, respond to immediate risks, and take preventative measures to protect against future risks. While the HHS Security Standards Guide outlines components of a risk analysis, the guide can be intimidating or difficult to fully understand.
Obtaining an assessment through a third party can allow an organization to see their HIPAA risks in an easy-to-approach, easy-to-understand way. Strategic Management offers assessment services that evaluate an organization’s compliance with the following:
- HIPAA Security and Privacy Rules requirements
- Overall data security measures
Components of HIPAA Risk Analysis
The HHS requires a HIPAA Risk Analysis to include the following 7 components:
- Scope of the Analysis. All electronic devices an organization uses to create, receive, maintain or transmit electronic Protected Health Information (ePHI) portable media, desktops and networks should be included in the risk analysis. This includes an overview of network security between multiple locations, a spot particularly vulnerable to cybercriminals.
- Data Collection and Storage. This section of the report reviews how electronic Protected Health Information (ePHI) is received, collected, and stored, determining whether data collection and storage is compliant with HHS regulations.
- Potential Threats & Risks. This section identifies potential vulnerabilities to an organization’s data management, such as network and computer-based attacks (malicious software uploads or unauthorized access to ePHI); unintentional errors (such as inadvertent or inaccurate data entry or deletion); and IT disruptions (like those due to power failures, environmental disasters, or other scenarios where data access would be inhibited).
- Current Security Measures. This section reviews an organization’s security measures to protect sensitive data from potential threats and risks. These security measures can be both technical security measures (such as encryption, two-factor authentication, and other technology-based measures) and non-technical (such as organizational policies, procedures, standards, guidelines, and accountability).
- Likelihood of Threat Occurrence. Through reviewing current security measures and potential threats, this section estimates the likelihood of a security breach or other vulnerability that could put ePHI at risk. This section classifies potential threats as high, medium, or low risk, giving management a clear understanding of which threats need to be addressed first.
- Potential Impact of Threat Occurrence. This sections reviews potential threats to explain the maximum impact of a threat occurrence (usually in terms of cost and lost time), how many people would be affected, and the kinds of information would be exposed. This can help inform responses based on the kinds of data (for example medical records would reveal different data than billing/payment information and thus require a different response).
- Determine the Level of Risk. Finally, HIPAA risk management requires understanding the level of risk an organization faces. This information is determined from data produced in sections 5 and 6 of the report. The conclusions in this section can be qualitative or quantitative; the HIPAA risk analysis report does not require a specific type of conclusion, allowing the report to be tailored to the specific needs of an organization.
A properly conducted HIPAA Assessment will allow organization management to easily understand potential threats to sensitive data and what actions are required to reduce the risk of data loss.
HHS recommends organizations conduct a risk analysis periodically. Ideally, a risk analysis will be completed whenever a company implements or plans to adopt new technology or business operations. For example, a new report should be produced when a company switches data storage methods from managed servers to cloud computing, or if a company experiences any ownership or key staff turnover.
HIPAA Security Assessment and HIPAA Risk Management Services
Are you wondering about your organization’s data risks and in need of a current HIPAA security risk analysis? Contact the Strategic Management team at (703) 683-9600 or through our online form. We can help you understand the specific steps your organization needs to take to be HIPAA compliant.