Save on compliance and spend at thanksgiving!
Use coupon code TURKEY20 for 20% off.


Talk to us

Subscribe for Newsletters
HIPAA Risk Analysis

Is HIPAA Risk Analysis a requirement?

In order to effectively comply with § 164.308, an organization must conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the CIA of e-PHI held by the covered entity or business associate.

When should a HIPAA Security Risk Analysis be done?

A covered entity or business associate should conduct a security risk analysis periodically to update and document its security measures as needed, and when any of the following occurs:

  • New projects, technologies or applications are introduced that have the potential to impact the CIA of e-PHI or otherwise introduce compliance risk to the organization’s network.
  • When an exception to an IT policy or standard is submitted that has the potential to affect the security or privacy of e-PHI.
  • Before making changes to physical safeguards that could increase vulnerability of computer systems containing e-PHI.
  • When there are changes in external factors including but not limited to new threats or vulnerabilities, regulatory changes, changes in business requirements or conditions that could impact CIA of e-PHI.
  • When inappropriate disclosure of information has occurred that could impact compliance or present harm to the business, a client or an employee. This could include loss of an unencrypted laptop or other external media or unauthorized access to e-PHI. Please refer to the Breach Notification Rule for further details on assessing risk during a breach or incident affecting CIA of e-PHI.

What is the HIPAA Security Risk Analysis process?

Before beginning a security risk analysis it is crucial that the covered entity or business associate conduct a data discovery exercise involving all business unit representatives to identify and document where the organization is accessing, storing or transmitting e-PHI and identifying the assets involved. The risk assessment process must identify the assets and evaluate all threats, vulnerabilities, impact, likelihood and mitigating controls associated with those assets.

  • Assets: An asset can be information (data), hardware, software, personnel or a physical facility.
  • Threats: Identify and characterize threat sources of concern, including capability, intent, and targeting characteristics for adversarial threats and a range for non-adversarial threats. Identify potential threat events, relevance of the events, and the threat sources that could initiate the events.
  • Vulnerabilities: Identify the vulnerabilities associated with the system being evaluated developing a list of system vulnerabilities that could be exploited by the potential threat sources.
  • Impact: An impact assessment should consider the scope and magnitude of the overall business loss expected using measurable terms when possible.
  • Likelihood: The likelihood that an event will occur must be considered. The threat-source motivation and capability, the nature of associated vulnerability and existence and effectiveness of current controls should be considered.
  • Controls: Analyze the existing controls in place to minimize or eliminate the likelihood of a threat exercising a vulnerability. Controls should be evaluated for their effectiveness to determine residual risk.

The graphic below depicts how these elements can be combined to determine a level of risk.

Are there industry standards for conducting a HIPAA Security Risk analysis?

There are various security industry standards a covered entity and business associate can use when constructing and performing a security risk analysis to evaluate compliance with the HIPAA Security Rule, here are two:

  • National Institute of Standards and Technology (NIST) SP 800-53 Rev. 4. Guidance provided by Health and Human Services commonly refers to using NIST SP 800-53 when developing and implementing a HIPAA Privacy & Security Program. These standards are designed to assist organizations in developing a compliance and risk assessment program to comply with various federal laws and regulations, such as HIPAA Privacy & Security Rules.
  • HITRUST Risk Management Framework (RMF) is another framework example. HRF is a framework built around a basic four-step risk management process model designed to meet the specific needs of the healthcare industry: (1) identify data protection requirements, (2) identify controls, (3) implement and manage controls, and (4) assess and report.

Questions? Call one of our HIPAA experts today at 1-800-262-8146