Did you know that HIPAA requires health care providers to conduct a risk analysis?
Two sets of rules were adopted to implement the provisions of HIPAA: the Privacy Rule and the Security Rule. The Privacy Rule applies to all forms of protected health information — oral, written, or electronic. The Security Rule applies only to electronic protected health information (ePHI).
Under the Security Rule, covered entities are required to conduct a risk analysis of ePHI exposures. A risk analysis is defined as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” A requirement of the Security Management
Process standard in the Security Rule states that all covered entities must “implement policies and procedures to prevent, detect, contain, and correct security violations.” (1)
Your practice could be at risk for violations of the Security Rule if you:
- have electronic health records;
- have not conducted a risk analysis; and
- are audited or investigated for compliance with HIPAA.
While the Security Rule does not prescribe a required methodology for a risk analysis, below are three options to consider.
One simple way to start is to print a copy of the HIPAA Security Matrix, found on pages 10-11 of Security 101 For Covered Entities available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf.
Physicians, office staff, and IT support personnel can make notes in the margins of what they are currently doing and what may need work. Notes should be maintained in an easily retrievable format. Options include a three ring binder or a shared folder on the network.
The second option is based on HIPAA Security Series #6 – Basics of Risk Analysis and Risk Management. The steps below provide a guide for physicians and key staff to conduct a risk analysis. For each step, the publication provides more details on calls to action.
Step 1. Identify the scope of the analysis
Step 2. Gather data
Step 3. Identify and document potential threats and vulnerabilities
Step 4. Assess current security measures
Step 5. Determine the likelihood of threat occurrences
Step 6. Determine the potential impact of threat occurrence
Step 7. Determine the level of risk
Step 8. Identify security measures and finalize documentation (1)
More information can be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf.
A comprehensive risk assessment flow chart can be found in the publication, Risk Management Guide for Information Technology Systems. (2)
Many other risk analysis options exist, including using consultants and attorneys who specialize in HIPAA Privacy and Security. The option you choose should be based on the best solution, time, knowledge, and resources available.
TMLT has developed an additional resource for physicians: a privacy and security toolkit, which includes customized service proposals to assist practices with risk analysis. For a copy of the toolkit, contact Stephanie Downing at 800-580-8658, extension 4884.
- U.S. Department of Health and Human Services. HIPAA Security Series - #6 Basics of Risk Analysis and Risk Management. Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf. Accessed January 2, 2013.
- National Institute of Standards and Technology. Risk Management Guide for Information Technology Systems by the National Institute of Standards and Technology (NIST). Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf. Accessed January 2, 2013.
About the Author
Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Representative. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at firstname.lastname@example.org.More Content by Cathy Bryant