The Health Insurance Portability and Accountability Act (HIPAA) sets out several guidelines for the adoption of portability and accountability rules regarding patient information. These guidelines stipulate that all medical and hospital services need to protect the personal information of their patients, commonly known as Protected Health Information (PHI).
Failure to comply with HIPAA safety standards can lead to large fines and, in extreme cases, the loss of medical licenses. One of the most important steps related to HIPAA compliance is a risk assessment.
When Investment Rhymes with Canada
Canada has a proud history of achievement in the areas of science and technology, and the field of biomanufacturing and life sciences is no exception.
What risk assessment entails
All organizations that handle PHI need to conduct a risk analysis if they wish to comply with HIPAA’s Security Rules and achieve HIPAA compliance.
But what does this process entail, really? According to the HHS Security Standards Guide, there are nine components that these entities need to include on their risk assessment report:
- Scope of the Analysis: This refers to any risk or hazard that may fall upon PHI, whether it is PHI’s security, integrity or availability, and also affects all devices in which PHI is accessed, stored or maintained, including devices with IoT.
- Data Collection: This refers to the gathering of all information related to PHI, mainly its storage, maintenance, receipt or transmission. If the entity is using an external provider for data hosting, this provider should facilitate a document with a full description of how and where the entity’s data is being stored.
- Identify and Document Potential Threats and Vulnerabilities: This is actually one of the hardest steps of the process as, sometimes, it is similar to looking for a needle in a haystack. However, identifying these potential sources of PHI-related trouble can be key when the time to act comes, should any problem really occur.
- Assess Current Security Measures: This is a listing of the security mechanisms that are already in place – some examples are encryption, multi-factor authentication, and so on.
- Determine the Likelihood of Threat Occurrence: As the name implies, this item focuses on a “prediction” of just how likely threats are, which obviously has to take into account some of the items covered above.
- Determine the Potential Impact of Threat Occurrence: Similar to the previous item, this is another “prediction” on the impact that a PHI-related incident could have.
- Determine the Level of Risk: Per the determination of the HHS, this level of risk can be obtained by averaging the levels predicted in the two previous items.
- Finalize Documentation: While there are not any guidelines regarding the format or exact content of this document, it does need to exist in the written format.
- Periodic Review and Updates to the Risk Assessment: Contrary to common belief, the risk assessment process is not a one-time thing. In fact, HIPAA does require periodical updates to it, and also recommends new risk assessments when new technologies or business operations are implemented.
The many benefits of conducting a risk assessment
Other than the fact that risk assessment is a compulsory part of HIPAA compliance, there are many benefits that arise out of doing it. The first is that it forces entities to completely review their systems, processes, hardware and more – basically the entire infrastructure.
Health Benefit Consultants, Share Your Expert Insights in Our Survey
Marty Puranik Marty Puranik co-founded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and President of Atlantic.Net, one of the first Internet Service Providers in America, Marty grew the company from a small ISP to a large regional player in the region, while observing America's regulatory environment limit competition […]
This makes it easy to find weak spots where issues are to be expected, which gives entities a golden opportunity to either fix the problem immediately or to closely monitor it and the way things evolve around it. This also makes it easier to avoid any issues coming from a potential HIPAA audit.
In addition, the fact that risk assessments should be done periodically and whenever there are changes to the infrastructure is yet another advantage, as it allows entities to review all the potential vulnerabilities lying in their systems before a problem occurs, which can mean saving a lot of money from potential fines.
Even though this is a lengthy and potentially expensive process in terms of the man-hours it requires, the benefits of conducting a risk assessment far outweigh the downsides.
Ensuring your company’s risk assessment compliance
There are a number of steps that can be taken in order to ensure that a risk assessment is indeed HIPAA compliant. For example, if the risk assessment will be done in-house, the Office of Civil Rights (OCR) has shortlisted two tools that give companies a framework for this process.
The first one is called the Security Risk Assessment Tool (SRA) and was developed by the Office of the National Coordinator (ONC) for Healthcare Information Technology. SRA brings 156 questions with accompanying questions, which provides valuable assistance for users to understand each question and its context.
Despite the merits of SRA, this tool is designed for small companies and fails to take into the equation some of the specificities and complexities of larger organizations.
The other tool shortlisted by OCR is called the Risk Assessment Toolkit and was developed by a team of Health Information Management Systems Society professionals. This tool comes with a lot of resources, namely a PDF user guide, Excel workbooks with NIST risk analysis references, application, and hardware inventory workbooks, HIPAA Security Rule standards, implementation specifications, and a defined safeguards workbook.
If the risk assessment will be outsourced, try to opt for security specialists who are familiar with healthcare, healthcare technologies and HIPAA. In reality, HIPAA does not specify whether the risk assessment process should be handled by the entities themselves or by external providers, so it really depends on the specific situation of each entity – some even opt for a mixed model, where these assessments are done both internally and externally.
Marty Puranik co-founded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and President of Atlantic.Net, one of the first Internet Service Providers in America, Marty grew the company from a small ISP to a large regional player in the region, while observing America's regulatory environment limit competition and increase prices on consumers. To keep pace with a changing industry, over the years he has led Atlantic.Net through the acquisition of 16 Internet companies, tripling the company's revenues and establishing customer relationships in more than 100 countries. Providing cutting-edge cloud hosting before the mainstream did, Atlantic.Net has expanded to seven data centers in three countries, with a fourth pending.
