Requirement for HIPAA Risk Analysis/Risk Assessment
Section 164.308(a)(1) of HIPAA requires an organization to conduct the risk analysis of the organization. This analysis is required to understand the flow of EPHI in the organization and the result of this analysis will facilitate creation of security policies & procedures and support the recommendation to initiate the HIPAA Security Compliance related remediation activities.
Definition and Scope
Risk analysis identifies areas that need to be addressed for HIPAA security compliance as well as all gaps that may be exploited by insider and outsider attacks. Organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI).
Risk analysis is a process whereby relevant assets and relevant threats are identified, and cost-effective security/control measures are identified or engineered, in order to effectively balance the costs of various security/risk mitigation/control measures against the losses that would be expected if these measures were not in place. Threats and risks are real. Each entity needs to identify and prioritize risks and threats.
A thorough risk assessment should identify the system vulnerabilities, threat, and current controls and attempt to determine the risk based on the likelihood and threat impact. These risks should then be assessed and a risk level assigned, such as high, medium, or low.
How HIPAA Academy™ can help?
An accurate and thorough Risk Analysis, as required by the HIPAA Security Rule, is a major undertaking for any organization. HIPAA Academy™ consultants, with their expert knowledge of the HIPAA regulations along with their experience consulting in a wide range of organizations, can complete such a project faster and easier than attempting a Risk Analysis “in-house.”
A HIPAA Academy™ engagement, although completely customizable to your needs, most often address the regulation’s requirements for Risk Analysis, Information System Activity Review, and Contingency Planning. A technical vulnerability analysis and penetration testing are often included as part of a thorough Risk Analysis.
The Seven Steps to HIPAA Security Compliance
The HIPAAShieldTM security methodology identifies seven critical steps for an organization to implement to become compliant with the HIPAA Security Rule. Figure 1 illustrates the Seven Steps. Associated with each step are specific activities. The objective of Step 2: Risk Analysis, the focus of this white paper, includes the following activities:
1. Conduct vulnerability assessment
2. Identify contingency requirements
3. Conduct information system activity review
HIPAA Security Risk Analysis/Assessment Road map
Project Phases in HIPAA Risk Analysis
The HIPAAShieldTM Risk Analysis activities are organized on the basis of the following phase:
Phase I: Documentation Phase
Phase II: Risk Assessment Phase
Phase III: Safeguards Determination Phase
The objective of Phase I is to identify all critical systems that process EPHI or other sensitive business/patient/client information, document the purpose of these systems and document the flow of information. In Phase II the emphasis is to identify threats, vulnerabilities, to determine the likelihood and impact of risk. Phase III’s focus is on the determination of safeguards.
Each phase of the HIPAA Security Risk Analysis Project will address the following sets of safeguards that make up the HIPAA Security Standards as defined in the HIPAA Final Security Rule:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
In total, the three categories of Safeguards include 18 Security Standards, made up of 42 Implementation Specifications. The scope of the HIPAA Security Project includes execution of Phases 2 and 3 as listed above for all 42 HIPAA Final Security Rule Implementation Specifications for all potentially impacted EPHI information systems.
The Security Safeguards and their associated Security Standards and Implementation Specifications that the HIPAA Academy™ will analyze are as follows.
Administrative Safeguards (164.308)
Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect EPHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information. Figure 3 summarizes the Administrative Safeguards’ standards and their associated required and addressable implementation specifications.
Physical Safeguards (164.310)
Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Figure 4 summarizes the Physical Safeguards’ standards and their associated required and addressable implementation specifications.
Technical Safeguards (164.312)
Technical safeguards refer to the technology and the policy and procedures for its use that protect electronic PHI and control access to it. Figure 5 summarizes the Technical Safeguards’ standards and their associated required and addressable implementation specifications.
HIPAA Risk Analysis/Assessment Report
By the end of the project, you will have gained insight into specific HIPAA requirements that are important to your organization as well as:
A written Risk Analysis which outlines potential threats to your organization along with the HIPAA Academy’s recommendations for remediation activities.
A Recommendations and Responses Log which harvests all of the recommendations and presents them in a format that allows you to respond to them. This log can also be used as a hub for the coordination of remediation activities and documents your good faith effort to become and remain compliant with the regulations.
The complete results of any vulnerability or penetration testing performed on your network.
HIPAA Security Risk Analysis/Assessment Road map
For more information about HIPAA Academy’s consulting services, please contact John Schelewitz at +1.480.633.3225 or John.Schelewitz@ecfirst.com.
I want to thank everyone at HIPAA Academy™ for their work and the effort that went into our Risk Assessment. We were extremely impressed by the level of professionalism from all three, and their knowledge of the HIPAA Security Rule. One person after being interviewed, commented that they wished they had a note pad to take notes as they learned so much about what HIPAA was during the interview. Joel, was most thorough in explaining what he was doing and pointing out things for consideration, and resources where we can expand our knowledge of security in general. Alan, was a great source of information and extremely professional everyone who spoke with him came away impressed at his understanding of the Rule. The same can be said about Ali, although I didn’t spend as much time with him I appreciated his frankness and the way in which he encouraged Bob Rice and myself in regards to getting compliant.
The final product was extremely detailed and helped us greatly in mapping out our mitigation of the risk analysis to ensure compliance.
Bob Mathew’s assistance in pulling everything off has to be commended, especially when I was losing my mind due to the scheduling issues.
Finally, I want to say I came away wishing I could have spent more time with everyone acting as a sponge and soaking up what they had to say. I learned so much from them, not just about HIPAA but other subjects for which I am extremely grateful. I am definitely wanting to use HIPAA Academy™ again in the future for follow up analysis of how we’ve done.