Are you confused about what’s required under the HIPAA risk analysis requirements? Don’t worry because you aren’t alone. After all, failing to perform or incompletely performing the risk analysis is the top reason for HIPAA violations.
Risk analyses are required for any healthcare organization that falls under HIPAA statutes. A proper risk analysis will assess all the potential threats to the confidentiality, integrity, or availability of electronic patient health information (ePHI).
Healthcare organizations aren’t the only businesses that need to perform risk analyses, though. Any business associate of a healthcare organization must perform an annual ePHI risk analysis, too. This includes any vendors or partners of a healthcare group, practice, hospital, etc.
The Office for Civil Rights has issued guidance on this topic. But we think that guidance is particularly lacking. That’s why we want to help you understand what you can expect when performing a HIPAA risk analysis.
Want to protect your business or healthcare organization from paying hefty fines for HIPAA violations? Then you need to keep reading for everything you need to know about this annual requirement.
What is a HIPAA Risk Analysis?
Every healthcare organization and their business associates must perform an annual risk analysis. This is a self-audit, meaning you have to perform the analysis yourself.
What’s the purpose of this self-audit? To ensure your processes and policies protecting ePHI are sufficient. This includes any policies about the confidentiality, integrity, and availability of ePHI stored on the organization’s software, hardware, or cloud-based technology.
Here are three key steps to identifying risks to your ePHI:
Identifying Internal ePHI
If your organization creates, receives, maintains, or transmits ePHI, you must have a plan to protect it. To create a plan, though, you need to identify what type of ePHI you deal with internally.
Identifying External ePHI
External ePHI is probably more relevant to a healthcare organization that works with business associates. External ePHI is usually patient data received from or by a vendor or consultant partner. As with internal ePHI, you must identify what type of ePHI you deal with externally.
Identifying Threats to ePHI
Whether its internal or external ePHI, you need to know what risks this information faces. Risks may include:
- Human Risks These include intentional actions like hacking or unauthorized ePHI access and unintentional actions like accidental deletion of patient data
- Natural Risks These include floods, earthquakes, tornadoes, landslides, etc.
- Environmental Risks Include electricity failures, chemical contamination, water leads, etc.
These risks also apply to the technology on which your ePHI is stored. For example, a human risk to ePHI stored on a piece of hardware is the threat of a hacking breach.
Performing a Risk Analysis
When you perform the HIPAA risk analysis at your organization, you’ll assess the risk for every single piece of ePHI at your business. Once you’ve identified the types of ePHI you handle, it’s time to perform the analysis. Here’s how.
Collect the Data
You need to note a few things about your ePHI. This includes where it’s stored, who and what system receives it, how it’s maintained, and the methods by which it’s transmitted.
Once you’ve gathered this data, you must document it.
Identify the Risks
Using the three types of threats above, you must determine the risks to your ePHI. You’ll need to determine the likelihood that each threat will occur. Then, you need to decide how your ePHI will be impacted should the threat occur.
Of course, the type of threat and how much it will impact your organization varies. For example, a healthcare facility in California may have a higher risk of ePHI damage due to earthquake.
Assess Security Measures
Along with identifying the risks, you need to have a plan for what you’ll do if the threat occurs. This includes any measures you use to safeguard your ePHI. HIPAA defines three types of safeguards: physical, technical, and administrative.
Physical safeguards ensure the safety of any non-ePHI. That is, any PHI stored physically in your place of work.
Technical safeguards include cybersecurity measures. These safeguards are vital for protecting PHI that’s stored electronically.
Administrative safeguards focus on the human portion of ePHI security. You should have a policy in place regarding safety and security of patient data. HIPAA also requires that you train your employees in these policies.
Identify the Level of Risk
Finally, your organization needs to assign a level of risk for each threat to your ePHI. This corresponds to the likelihood of the event happening. It also reveals how damaging each threat would be if it occurred.
Once you’ve designated a risk level for each threat, you need to document them. Then, you’ll design a strategy for corrective actions. If the threat were to occur, what would you do to mitigate the risk and ensure it doesn’t reoccur in the future?
Beyond the Risk Analysis
Performing the risk analysis isn’t only important for compliance with the risk analysis requirement. It’s also a preliminary requirement for multiple other aspects of HIPAA regulations.
Most importantly, the risk analysis is required before you get to any “addressable” specifications. What does that mean? We’re diving into this next, so check it out.
Addressable Specifications
When you look at HIPAA regulations, you may see some specifications marked “addressable.” All organizations must complete addressable requirements. That is, unless the organization deems the specification unnecessary for the nature of its work.
How does an organization prove that a specification isn’t necessary? You must provide the results of your risk analysis. The risk analysis results will provide evidence as to whether or not an addressable specification is appropriate in your unique case.
HIPAA Security Suite Can Do Your Risk Assessment For You
A HIPAA risk analysis isn’t just vital to avoiding hefty fees for violations. It’s also important for building trust with your patients.
Are you too busy saving lives to do your risk analysis yourself? You’ve come to the right place then because HIPAA Security Suite’s expert IT staff can do it for you. Learn more about our services and stop worrying about losing profits for preventable HIPAA mistakes!