If the organization handles protected health information, or the IRC, the Department of Health and Human Services requires you to conduct a risk analysis as the first step toward implementing safeguards specified in the HIPAA Security Rule, and ultimately achieving HIPAA compliance.
This includes all HIPAA hosting providers.
But what does a risk analysis entail exactly? And what should be included in your report?
The Health and Human Services Security Standards Guide outlines nine mandatory components of a risk analysis.
Conducting a thorough HIPAA risk assessment is extremely difficult to do yourself, though. You may want to contract with a HIPAA auditor to help you.
Most people simply do not know where to look, or they end up bypassing things because they do not understand data security.
If the risk analysis is foundational to your security, then you do not want to see the key elements in the analysis.
There are nine components that healthcare organizations and healthcare-related organizations that store or transmit electronic protected health information must include in their document:
1. Scope of the Analysis
To identify your scope – in other words, flats within your organization.
This includes all ePHI – portable media, desktops and networks.
There are four main parts to consider when defining your scope.
Where PHI starts or enters your environment.
What happens to it once it’s in your system.
Where PHI leaves your entity.
Where the potential or existing leaks are.
2. Data Collection
Below is a list of places to get you started in the documentation of where PHI enters your environment.
Email: How many computers do you use, and who can log on to each of them?
Texts: How many mobile devices are there, and who theirs?
EHR entries: How many staff members are entering in data?
Faxes: How many fax machines do you have?
USPS: How is incoming mail handled?
New patient papers: How many papers are required to fill out? Do they do this at the front desk? Examination room? Somewhere else?
Business associate communications: How do business associates communicate with you?
Databases: Do you receive marketing databases of potential patients to contact?
It’s not enough to know only where PHI begins. You also need to know where it goes once it enters your environment.
To fully understand what happens to PHI in your environment, you have to record all hardware, software, devices, systems, and data storage locations that touch PHI in any way.
And then what happens when PHI leaves your hands? It is your job to ensure that it is transmitted or destroyed in the most secure way possible.
Once you know all the places where PHI is housed, transmitted, and stored, you’ll be better able to safeguard those vulnerable places.
Identify and Document Potential Vulnerabilities and Threats
Once you know what happens during the PHI lifecycle, it’s time to look for the gaps. These gaps create an environment for unsecured PHI to leak in or outside your environment.
The best way to find all possible leaks is to create a PHI flow diagram that documents all of the information you found above and lays it out in a graphical format.
Looking at a diagram makes it easier to understand PHI trails and to identify and document anticipated vulnerabilities and threats.
A vulnerability is a flaw in components, procedures, design, implementation, or internal controls. Vulnerabilities can be fixed.
Some examples of vulnerabilities:
Website coded incorrectly
No office security policies
Computer screens in view of public patient waiting areas
A threat is the potential for a person or thing to trigger a vulnerability. Most threats remain out of your control to change, but they must be identified in order to assess the risk.
Some examples of threats:
Geological threats, such as landslides, earthquakes, and floods
Hackers downloading malware onto a system
Actions of workforce members or business associates
Again, if you’re above-average in terms of compliance, you may only have a minimum understanding of vulnerabilities and threats. It’s crucial to ask a professional for help with your HIPAA risk assessment.
Assess Current Security Measures
Ask yourself what kind of security you are taking to protect your data.
From a technical perspective, this might include any encryption, two-factor authentication, and other security methods HIPAA hosting provider.
Since you now understand how PHI flows in your organization, and can better understand your scope. With that understanding, you can identify the vulnerabilities, the likelihood of threat occurrence and the risk.
Determine the Likelihood of Threat O