A HIPAA Risk Assessment, or a HIPAA Security Risk Assessment more precisely, is a mandatory requirement for Covered Entities and Business Associates in their HIPAA Security Rule compliance journey. HIPAA Security Risk Assessments can be straightforward, but it’s critical to understand what to review, how, and against what frameworks.
Let’s dive into what a HIPAA Security Risk Assessment is, the importance of those risk assessments, and how to complete those risk assessments. By the end of this article, you should understand how to meet some of your most critical HIPAA compliance needs.
What is a HIPAA Risk Assessment?
HIPAA Risk Assessments are described at 45 CFR § 164.308(a)(1). That section outlines the requirement for, “[c]onduct[ing] an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
While brief, there’s a lot to that sentence. It’s also compounded by other provisions of the HIPAA Security Rule. I’m going to unpack the three major components, in my opinion, so that it’s clear what’s required and how information security or information technology programs can implement and evaluate required security measures.
Most of the HIPAA Security Rule is concerned with how to correct security violations. 45 CFR § 164.308(a)(1) is concerned with proactively identifying them and mitigating their impact in line with the remainder of the Rule.
I’d also recommend reading this official guidance from the Centers for Medicare and Medicaid Office of Civil Rights. It provides a very detailed analysis of the HIPAA Security Risk Assessment process from a regulatory compliance standpoint. My view is more the practical operations of a risk assessment.
Accurate and Thorough Assessment
A successful HIPAA Risk Assessment is both accurate and thorough. When I think about having a HIPAA Security Risk Assessment performed, I think about the need for it in a Centers for Medicare and Medicaid Office of Civil Rights audit.
Those audits will seek to understand if you knew of the risk or should have known about the risk that lead to a breach. In other words, do you know about your known-knowns and known-unknowns? Those audits will also review the general organizational security posture and overall risk management program.
The review will also assess: 1) has the Covered Entity or Business Associate kept its security program up-to-date with respect to potential risks, pursuant to 45 CFR § 164.306(e) and 2) has the Covered Entity or Business Associate updated its policies periodically pursuant to 45 CFR § 164.316(b)(2)(iii)?
The only way to understand whether or not Covered Entities or Business Associates are impacted by a risk, requiring an update to a security program which is then enshrined in policy, is to seek out those risks. That factfinding must identify the actual risk, not symptoms or byproducts of the risk. Hence, accuracy. (See this article for why I think penetration testing is crucial for this process.)
The scope and thoroughness of the assessment will depend on the Covered Entities or Business Associates’ understanding of where they use, process, or store ePHI. It’s impossible to gauge the risks for an asset or resource that is unknown and unaccounted for. Put differently: you can’t conduct a HIPAA risk assessment without knowing what to evaluate.
So an organization needs to have a comprehensive, or thorough, understanding of where risk exists. The best way to do that is to understand where ePHI is used and stored throughout the organization.
Potential Risks and Vulnerabilities
The HIPAA Security Rule is all about proactivity. Its focus is prescribing and evaluating current security measures sufficient to safeguard ePHI, presently held by Covered Entities and Business Associates, well into the future.
That’s accomplished by a risk assessment which evaluates potential threats to information. Once an organization has an accurate and thorough understanding of where its data sources are, it can then conduct a security assessment against those resources to accurately and thoroughly understand sources of threats.
In understanding and documenting the source of threats, it can (and must) also document vulnerabilities. While not specifically defined in the HIPAA Security Rule, they are defined in industry-standard security frameworks. The CMS OCR document linked at the beginning of this article cites NIST SP 800-30 for reference.
Security vulnerabilities are things that can be exploited to provide a gap in security controls, exacerbate the chance of exploitation of a risk occurring, and potentially lead to a security incident or other compromise of the confidentiality, integrity, and availability of ePHI.
Electronic Protected Health Information
The scope and target of whatever implementing safeguards the HIPAA Security Rule requires is electronic Protected Health Information, or ePHI. That is specific health data that qualifies as PHI, typically because it is generated by a healthcare organization or healthcare providers in the course of treatment, located on electronic media.
That doesn’t mean there’s no risk to non-electronic PHI. However, a HIPAA Privacy assessment is typically concerned with the risk of potential improper disclosure of PHI and the reportability of that disclosure under the Breach Notification Rule. It’s not a HIPAA privacy risk assessment in the same sense as a HIPAA Security Risk Assessment.
That’s not to say there shouldn’t be an evaluation of privacy risk. HIPAA certainly requires the mitigation of those risks. It just doesn’t prescribe a HIPAA Privacy risk assessment and characterizes a HIPAA Privacy assessment differently under the HIPAA Privacy Rule.
I personally feel that the same administrative, physical, and technical safeguards that protect ePHI sufficiently protect PHI in physical form. A Security Risk Assessment entails assessing Covered Entities and Business Associates’ safeguards to ensure that appropriate security measures have been implemented to protect physical and ephemeral assets. Since non-electronic PHI is a physical asset, it stands to reason that a comprehensive risk management plan would address risks to those assets.
How to Conduct a Risk Assessment in 8 Steps
I’m going to give you a high-level HIPAA risk assessment checklist and the steps to conduct a HIPAA risk assessment. This is advice based on my experience and is by no means the end-all-be-all of HIPAA risk analysis.
I’d also recommend checking out the materials that CMS OCR provides on the topic. They provide, among other materials, a HIPAA risk assessment template and a downloadable security risk assessment tool for maintaining a risk assessment over time. CMS also provides comprehensive HIPAA risk assessment FAQs.
- Nominate a HIPAA Security Officer. HIPAA requires that Covered Entities and Business Associates have both a HIPAA Privacy Officer and a Security Officer. Put someone in charge of managing your ePHI risk.
- Identify where you have ePHI. Think about where you store ePHI in your environment. Electronic medical records are an easy source, but there are many others. Typically this identification stage is completed through interviews and questionnaires. While there are also other data-gathering techniques, it’s typically a time-consuming process. Whatever data gathering techniques you use to collect that information should account for as comprehensive an inventory of data repositories as possible.
- Identify risks. NIST SP 800-30 is a fantastic resource for how to structure and conduct risk assessments. As I highlighted above, it’s cited by CMS OCR by name. It’s very comprehensive and will help you identify potential risks to any assets in your organization based on both predicting the potential risk to each asset or class of assets and the likelihood of threat occurrence and those risks coming to fruition. You can then assign risk levels to those risks.
- Compare risks to policies and infrastructure. At this point, question whether or not your security program addresses reasonably anticipated threats or risks to your organization. Determine whether or not you’re mitigating common or predictable threat and security vulnerabilities.
- Conduct a HIPAA comparison of your security program. Determine whether or not you’ve implemented the security measures required by HIPAA to safeguard the confidentiality, integrity, and availability of ePHI. If you have mitigation strategies in place instead of comprehensive controls, identify whether or not those security safeguards meet their intended risk mitigation goals.
- Conduct a HIPAA Risk Analysis. Document for each HIPAA security risk analysis objective how you’ve met the HIPAA requirements. This assessment process will take a long time and will hopefully re-validate what you’ve done in the preceding steps. You’ll want to interview staff and collect documentary evidence to establish that you know where ePHI is, that you’ve identified risks and risk levels, that you have a documented security program in place to address those risks, and that the security program meets HIPAA’s requirements.
- Document gaps and improvement. No security program is ever complete. If you go into your HIPAA risk assessment conducting a review of gaps and identifying room for improvement, instead of just checking boxes, you’ll have much greater success developing a security program that is comprehensive. Your risk analysis will be significantly more productive. You’ll drive more robust HIPAA compliance.
- Rinse and repeat often.I’d recommend conducting a HIPAA risk assessment annually or whenever there’s a major change to administrative, physical, or technical safeguards or infrastructure.
How Often Are HIPAA Risk Assessments Required?
There’s no set cadence for a HIPAA Risk Assessment. However, HIPAA does require that Covered Entities and Business Associates continually provide “reasonable and appropriate protection of electronic protected health information…” 45 CFR § 164.306(e).
I, personally, don’t think that’s possible without a risk analysis conducted annually or every two years. Technology and security threats evolve quickly enough that failing to perform a review past the two-year mark would leave an organization open to significant threat.
I also believe that a HIPAA Risk Assessment should be conducted every time there’s a major change to infrastructure or its safeguards. Where the risk posture of an asset changes, it should be evaluated for protection in line with HIPAA’s requirements.
HIPAA Risk Assessment With Internal Resources vs External Consultants
One of the great things about HIPAA compliance is that it can be driven and evaluated entirely by internal resources. Since there’s no certification for HIPAA compliance, it’s a regulatory requirement, an organization is responsible for adhering to its precepts.
If your organization has the resources to staff a HIPAA security risk team and conduct a periodic risk analysis, that’s great. You’ll have dedicated staff whose primary responsibility is to assess HIPAA security risks and address them. They can do so constantly and that will expedite whatever analysis needs conducting.
If your organization can’t staff a dedicated HIPAA security risk team or can but wants to pursue external evaluation resources, that’s also great. External consultants bring a fresh perspective to your organization based on extensive experience at similar organizations. So while your internal team may be doing one assessment per year, an external team may have done hundreds in that same time. They’re also not embedded with HIPAA security at your organization and can bring a more objective perspective.
Either way, you can’t go wrong. You really only go wrong by not doing it at all. If you suffer a breach and recklessly failed to conduct HIPAA risk assessments, then that’s a HIPAA violation category unto itself with increased fines.
How Much Will a HIPAA Risk Assessment Cost?
There are a few different sources for HIPAA risk assessment costs. This source is aligned with current industry standards, where a HIPAA risk assessment for a small organization may cost only a couple thousand dollars and tens of thousands for larger organizations.
Internally staffing a HIPAA security risk program means that the assessment is free. However, you have staff salaries to think about. Then again, those staff are doing more than just focusing on risk assessments and will likely also manage your HIPAA security program.
Conclusion
A risk assessment can be a daunting proposition for many organizations. The cost of an external assessment and lengthy, complex frameworks can be confusing and difficult to navigate.
Fortunately, CMS and the Department of Health and Human Services focused on simplicity when they drafted the Health Insurance Portability and Accountability Act. Not only is a HIPAA risk assessment straightforward to conduct, but those assessments are also based on straightforward and flexible rules. Furthermore, those assessments can be conducted entirely in-house, if desired.
