Risk Assessment: The Core of HIPAA Compliance
by Stacy Harper, JD, MHSA, CPC
The core of any effective HIPAA compliance program is the development of a risk assessment and management process. An effective risk assessment and management process should include, at least: inventory, flow, scope, threats/vulnerabilities, likelihood, impact, risk, and response.
For HIPAA compliance, the inventory should focus on identification of all of the locations where protected health information (PHI) is stored or transmitted. This usually begins with the servers that store the electronic medical record or practice management software, and should include other ancillary storage of PHI (e.g., e-mail systems, back-up drives, laptop computers).
Next, diagram the flow of information through the organization. For HIPAA compliance, this flow should track the movement of PHI in and out of the organization.
Not every risk assessment must be comprehensive. For example, a risk assessment may focus on HIPAA implications related to the implementation of an electronic medical record.
To determine potential threats and vulnerabilities, the organization can consider information such as transmittals, alerts, or relevant guidance from regulatory agencies or payers; recent audit results or compliance investigations; coding or regulatory changes; and other industry guidance. The more specific the organization is in identifying threats and vulnerabilities, the more specific the risk assessment will be.
A risk is the extent to which the organization is threatened by a particular event, considering:
- the probability that a particular threat will exercise a particular vulnerability, and
- the resulting impact if this should occur.
There are different methodologies for calculating the level of risk. As part of the process, the organization should document the methodology used. What factors were considered in determining the likelihood and probability? What matrix was used to convert the likelihood and probability combination into a risk?
Ongoing Management Completes the Process
For the process to be complete, the organization must also respond to the identified risks and document the response. For each identified risk, the organization should document potential options evaluated for response, the option selected, the reason that option was determined to be appropriate, and the plan for implementation. This risk management plan can then be integrated into future assessments to evaluate the effectiveness of each response.