How to Perform HIPAA Risk Assessment

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires healthcare entities to implement policies and procedures to safeguard the privacy and security of the protected health information (PHI) of patients. One core requirement is to perform risk assessments. This article explains what a risk assessment is according to HIPAA and offers guidance about the steps involved.

What is a HIPAA risk assessment?

HIPAA has two key components: the HIPAA Security Rule and the Privacy Rule. The Privacy Rule regulates who can access PHI, how it can be used and when it can be disclosed. The HIPAA Security Rule requires covered entities to protect ePHI using the appropriate administrative, physical and technical safeguards.

A HIPAA security risk assessment is instrumental to complying with these rules. It helps you identify potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that your organization generates, receives, retains or transmits, and to implement appropriate controls to mitigate those risks.

Is my organization required to conduct a HIPAA risk assessment?

HIPAA risk assessments are required for any covered entity that generates, receives, stores or transmits PHI, such as medical centers and health plans - as well as for all business associates, subcontractors and vendors that interact with any ePHI. You should repeat the risk assessment process at least annually, as well as whenever new work methods or pieces of technology or major upgrades to existing IT systems are introduced.

Organizations should take HIPAA risk assessment seriously because the Office for Civil Rights (OCR) can apply fines for non-compliance of $100 to $50,000 per violation or record, up to a maximum of $1.5 million per year for each violation.

What are the steps in a HIPAA risk assessment?

The Security Rule does not prescribe any specific methodology for conducting a risk analysis. Instead, organizations routinely refer to standards like NIST 800-30 for guidelines to achieve and maintain HIPAA compliance. NIST SP 800-30 defines standard risk assessment methodologies for evaluating the efficacy of security controls in information systems.

At a high level, a HIPAA risk assessment involves the following nine steps:

Step 1. Determine the scope of analysis.

A HIPAA risk analysis includes all ePHI, regardless of its source or location and the electronic media used to create, receive, maintain or transmit it. The analysis must cover all "reasonable" risks and vulnerabilities to the confidentiality, integrity and availability of that ePHI. "Reasonable" means any threats to HIPAA compliance that are foreseeable, which includes external bad actors, malicious insiders, and human error from lack of knowledge or training.

Step 2. Collect data.

Gather complete and accurate information about ePHI use and disclosure:

• Inventory past and current projects.
• Perform interviews.
• Review documentation.
• Use other data-gathering techniques as needed.

Step 3. Identify potential threats and vulnerabilities.

Analyze the threats and vulnerabilities that exist for each piece of regulated data.

Step 4. Assess your current security measures.

Document the measures you have already implemented to mitigate risks to your ePHI. Include both technical and non-technical measures:

• Technical measures include access control, authentication, encryption, automatic log-off, auditing, and other hardware and software controls.
• Non-technical measures include operational and management controls like policies, procedures, and physical or environmental security measures.

Analyze the configuration and use of each security measure to determine its appropriateness and effectiveness.

Step 5. Determine the likelihood of threat occurrence.

Rate the likelihood that a threat will trigger or exploit a specific vulnerability, being sure to assess each potential threat and vulnerability combination. Common strategies include labeling each risk as High, Medium or Low, or providing a numeric weight expressing the likelihood of occurrence.

Step 6. Determine the potential impact of each threat occurrence.

Detail the possible outcomes of each data threat, such as:

• Unauthorized access or disclosure
• Permanent loss or corruption
• Temporary loss or unavailability
• Loss of financial cash flow
• Loss of physical assets

Estimate and document the impact of each outcome. Measures can be qualitative or quantitative.

Step 7. Identify the risk level.

Analyze the values assigned to the likelihood and impact of each threat. Then, assign a risk level based on the assigned probability and impact level.

Step 8. Determine appropriate security measures and finalize the documentation.

Identify the potential security measures you could use to reduce each risk to a reasonable level. Consider the effectiveness of the measure, the regulatory requirements around implementation, and any organizational policy and procedural requirements. Document all findings.

Step 9. Periodically review and update the risk assessment.

Develop a policy describing how often to conduct risk assessments. You should perform one at least annually. Also document how to update the assessment when anything changes, such as your security systems or policies. Track each change in the revision history at the end of the assessment.

Tips for making your HIPAA risk assessment successful

Keep these tips in mind to perform a successful HIPAA risk assessment:

• Choose a point person to be in charge of the assessment.
• Understand that you can do the assessment in house or outsource it to a HIPAA expert. Outsourcing the assessment may get the analysis and planning tasks conducted faster.
• Remember the intent of the assessment. It is not an audit; its purpose is to help you identify, prioritize and mitigate risks.
• Ensure your documentation meets HIPAA standards. Record all procedures and policies, ensure they are accurate, and make them centrally available.
• Remember that you are required to repeat the assessment process at least annually.
• Provide all staff members with HIPAA compliance training.

How can Netwrix help?

Netwrix HIPAA compliance software helps you achieve and prove HIPAA compliance. In particular, it enables you to conduct the risk assessments required by HIPAA. For example, HIPAA requires organization to assess the risks to their information systems and act on the findings, and the Netwrix solution empowers you to examine the configuration of your information systems and identify risks in account management, data governance and security permissions.

Even better, the HIPAA functionality of the Netwrix solution goes far beyond risk assessments. Critically, it enables you to spot active threats in time to prevent security incidents and business disruptions. Plus, unlike many other audit tools, the Netwrix solution includes pre-built compliance reports matched to the requirements of HIPAA and other common mandates, which saves significant time and effort during compliance preparation.