Privacy and Security Update: Risk Analysis for Health Care Professionals

January 31, 2013 Cathy Bryant

Did you know that HIPAA requires health care providers to conduct a risk analysis?

Two sets of rules were adopted to implement the provisions of HIPAA: the Privacy Rule and the Security Rule. The Privacy Rule applies to all forms of protected health information — oral, written, or electronic. The Security Rule applies only to electronic protected health information (ePHI).

Under the Security Rule, covered entities are required to conduct a risk analysis of ePHI exposures. A risk analysis is defined as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” A requirement of the Security Management

Process standard in the Security Rule states that all covered entities must “implement policies and procedures to prevent, detect, contain, and correct security violations.” (1)

Your practice could be at risk for violations of the Security Rule if you:

  • have electronic health records;
  • have not conducted a risk analysis; and
  • are audited or investigated for compliance with HIPAA.

While the Security Rule does not prescribe a required methodology for a risk analysis, below are three options to consider.

OPTION 1

One simple way to start is to print a copy of the HIPAA Security Matrix, found on pages 10-11 of Security 101 For Covered Entities available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf.

Physicians, office staff, and IT support personnel can make notes in the margins of what they are currently doing and what may need work. Notes should be maintained in an easily retrievable format. Options include a three ring binder or a shared folder on the network.

OPTION 2

The second option is based on HIPAA Security Series #6 – Basics of Risk Analysis and Risk Management. The steps below provide a guide for physicians and key staff to conduct a risk analysis. For each step, the publication provides more details on calls to action.

Step 1. Identify the scope of the analysis

Step 2. Gather data

Step 3. Identify and document potential threats and vulnerabilities

Step 4. Assess current security measures

Step 5. Determine the likelihood of threat occurrences

Step 6. Determine the potential impact of threat occurrence

Step 7. Determine the level of risk

Step 8. Identify security measures and finalize documentation (1)

More information can be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf.

OPTION 3

A comprehensive risk assessment flow chart can be found in the publicationRisk Management Guide for Information Technology Systems. (2)

Many other risk analysis options exist, including using consultants and attorneys who specialize in HIPAA Privacy and Security. The option you choose should be based on the best solution, time, knowledge, and resources available.  

TMLT has developed an additional resource for physicians: a privacy and security toolkit, which includes customized service proposals to assist practices with risk analysis. For a copy of the toolkit, contact Stephanie Downing at 800-580-8658, extension 4884.

SOURCES

  1. U.S. Department of Health and Human Services. HIPAA Security Series - #6 Basics of Risk Analysis and Risk Management. Available at  http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf. Accessed January 2, 2013.
     
  2. National Institute of Standards and Technology. Risk Management Guide for Information Technology Systems by the National Institute of Standards and Technology (NIST). Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf. Accessed January 2, 2013.

About the Author

Cathy Bryant

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Representative. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at cathy-bryant@tmlt.org.

More Content by Cathy Bryant
Previous Article
HB 300-Compliant Authorization Form Now Available

Overview of the Authorization to Disclose Protected Health Information form that would comply with HIPAA, H...

Next Flipbook
The Reporter Volume 1 2013
The Reporter Volume 1 2013

Legacy planning for physicians; Leveraging patient safety organizations to improve care; Failure to follow ...

Request onsite HIPAA training from TMLT staff certified in health care privacy compliance.

CONTACT US