February 22, 2018

4 Tips for a Successful HIPAA Risk Assessment

Conducting a successful HIPAA Risk Assessment, a requirement since 2003, can help you proactively identify potential risks and vulnerabilities to electronic health information data.

In 2003, when the original HIPAA Security Rule was issued, organizations that stored and used health information data were required to complete a HIPAA risk assessment. The HIPAA Security Rule was enacted to protect personal health information (PHI) by putting national standards and safeguards in place. This Security Rule included a safeguard for “Risk Analysis.”

Who needs a HIPAA Risk Assessment?
HIPAA risk assessments are intended for covered entities, business associates and organizations that use or transmit electronic health information. Covered entities include organizations that electronically transmit health information such as health care providers, insurance companies and health care clearinghouses, must have safeguards in place to protect the security of personal health information. Business associates and organizations include any organization that creates, maintains and transmits protected health information or PHI are also required to meet HIPAA requirements. This can include financial companies, billing companies, IT consulting firms, law firms and more.

Why is a HIPAA Risk Assessment important for my organization?
Data breaches have become increasingly common. According to a 2015 report by USA Today, over 40 percent of all data breaches in the prior three years (2011-2014) happened in the healthcare industry. As high as 91 percent of all health organizations had reported breaches from 2013-2015.

Maintaining strong security protocols for your organization regarding personal health information is essential. Using the HIPAA Risk Assessment can help you identify areas that pose security risks and to take appropriate measures to address these areas. Having a HIPAA Risk Assessment is also an important step in meeting compliance requirements for HIPAA.

Here are four essential tips to a successful HIPAA Risk Assessment:

1. Use the NIST Framework
The National Institute of Standards and Technology’s (NIST) Special Publication 800-30 has become the most widely adopted standard for conducting risk assessments and it is the most often referred to framework by the Department of Health and Human Services. Additionally, NIST has developed a “Security Risk Assessment Tool” that leverages NIST principles to help organizations comply with the cybersecurity requirements of the HIPAA Security Rule. The toolkit is free and comes with a comprehensive user guide and software application that runs on Windows, Mac and Linux operating systems.

Using the NIST framework will help your organization appropriately assess security risks so that your organization can take appropriate measures to address any vulnerabilities and remedy them.

2. Understand Your Scope
Scoping a HIPAA Risk Assessment should begin with where, when and how PHI data is stored, transmitted and processed. Be sure to include all third-party service providers or business associates which handle your organizations PHI data. Include all physical locations which house PHI data. And lastly, effectively identify all assets that may transmit, store or process PHI data.

3. Get Leadership Buy-in
It is essential that your organization’s leadership is united in how you approach risk assessments and risk management protocols. Hold any necessary meetings to discuss concerns and get your leadership aligned and working together to proactively protect your organization from cybersecurity hazards. Executive alignment can be pivotal in putting safeguards in place to protect sensitive health information.

4. Establish an Effective Risk Management Processes
Finally, develop an effective risk management processes. A well-executed risk assessment will have little value if the risks identified by the assessment are not managed. It is important to set risk management expectations for your information security and compliance team. You will need a process in place to manage identified risks and to take measures to stop and minimize any potential effects of those risks.

Working with a trusted senior assessor organization like Tevora with significant experience in HIPAA Risk Assessments can be very helpful. We can assist you in identifying cybersecurity risks your organization faces currently and implementing any changes you will need to make to safeguard your assets. We can also help you develop an effective risk management processes.

About the Author

John Huckeby is the managing director of healthcare and life sciences at Tevora.