In our ongoing series on the Health Insurance Portability and Accountability Act (HIPAA), we have examined provisions of this sweeping act and what types of medical practices and ancillary businesses are affected. If your business relates in any way to HIPAA and patient information security, you need to know how to ensure your business is HIPAA-compliant.
Section 164.308 of the Code of the HIPAA Privacy and Security Rule requires “covered entities” (healthcare organizations and healthcare providers) to:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
In other words, conducting an in-depth risk analysis of your business is a key requirement of the HIPAA compliance process – a federally mandated necessity for all U.S. healthcare organizations and healthcare providers.
The risk analysis aims at ensuring the integrity of all electronic Protected Health Information (ePHI), created, stored or transmitted in laptops, faxes, tablets, smartphones, and other digital devices. Here are steps that should be included in a risk analysis:
Identify the scope of the risk assessment. What potential risks and vulnerabilities threaten the privacy and integrity of your ePHI? Start by identifying every form of electronic media your business utilizes. Also include an assessment of the quality of network security between various business locations, as well as the terms of your HIPAA hosting agreements with third-party or Business Associates (any organization or individual who serves as a vendor or subcontractor with access to ePHI).
Gather data. Data should also be collected specifically on where ePHI is stored, received, maintained and/or transmitted.
Pinpoint and document potential threats and vulnerabilities. It’s up to you to anticipate possible HIPAA privacy rule violations. Identify potential threats to sensitive and confidential patient information as well as any flaws or weaknesses in your information security systems that might lead to leaking of ePHI.
Evaluate your existing security measures. After identifying potential threats and vulnerabilities, the risk analysis should include a comprehensive assessment of your existing security measures (encryption, two-step verification, administrative and technical safeguards for mobile devices, etc.).
Determine the probability of threat occurrence. What is the likelihood that your ePHI can or will be breached? Gauging the probability of an actual event will help you prioritize your security measures and policies.
Assess the potential impact of threat occurrence. In the event of a data breach, how will your business (and customers) be affected? What is the scope of data that might be leaked (medical records, for example, or confidential patient billing information)?
Determine risk level if a threat occurs. Assess and document the level of risk to your ePHI and indicate the actions your organization can take to alleviate that risk.
Complete your documentation. Although HIPAA regulations don’t specify a particular format to document your analysis, everything included in your risk assessment must be put in writing.
Conduct periodic threat assessments and review of security measures. Ongoing risk analysis is required by HIPAA. The Department of Health and Human Services suggests conducting a risk analysis whenever your organization adopts new business operations or implements new technology. It is vitally important to maintain the integrity of your current safeguards and upgrade them as needed to meet future changes in your business.
Unless you complete a thorough risk analysis (and fully document it), your business will not be HIPAA-compliant, which puts you at risk for costly HIPAA privacy rule violations.