Troubleshoot HIPAA Vulnerabilities with Risk Analysis and Assessment
Build a good defense against a HIPAA audit or breach.
The HIPAA Security Rule makes a risk analysis mandatory for all HIPAA covered entities (CEs) and business associates (BAs). This section of the rule is found in the Administrative Safeguards and states: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) held by the CE or BA.” The italicized words are defined in HIPAA rules. HIPAA definitions are both the foundation of HIPAA and part of the scope of HIPAA requirements.
Although the rule does not say how often your business needs to do a risk analysis and assessment, the Office for Civil Rights (OCR) has said since 2009 that a CE and BA must do a risk analysis plus assessment every year — and more often if you upgrade technology, move offices, and expand services.
Know Your Vulnerability Risks
The parts of a HIPAA risk assessment to explore are your risks and vulnerabilities. These terms are not defined in the HIPAA rules, but they generally refer to anything that poses a danger or hazard to your business. In other words, risks and vulnerabilities are exposures that open your business to danger and liability. Another word for risk is insecurity.
The risks and vulnerabilities to your business include:
- Mobile tools:
- Smart phones
- Removable media (CDs/DVDs/memory sticks, etc.)
- Out-sourced work
- Off-shore work
- Cloud usage
- Spear phishing
What can you do to protect your business?
- Perform a yearly risk analysis and assessment.
- Review and update HIPAA policies and procedures, yearly.
- Provide HIPAA training, yearly, and more often if necessary.
There are two free tools to help you perform a risk assessment:
- Office of the National Coordinator for Health Information Technology’s tool at www.healthit.gov/providers-professionals/security-risk-assessment-tool
- NIST HIPAA Toolkit at https://scap.nist.gov/HIPAA/
A HIPAA risk analysis and assessment is one of the major defenses for any CE or BA. And it’s one document the OCR asks for when scheduling your business for a HIPAA audit or investigating your business for a HIPAA breach.
45 CFR 164.308(a)(1)(A) Security Management Process, Risk analysis
45 CFR 164.304 + 160.103, Definitions
Susan A. Miller, JD, is a national HIPAA and HITECH Act healthcare expert and strategist focused on covered entities, business associates, technology companies, federal agencies (including OCR, NIST, and CMS), accountable care organizations, regional extension centers, Medicaid agencies, states, and national and state trade associations. She developed the NIST HIPAA security risk analysis and audit tool used across the industry.