The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic protected health information (ePHI). This process must be documented as a Risk Analysis. Covered entities must develop a Risk Analysis at their inception and review the Risk Analysis at least annually to identify potential changes to their information systems, physical environment, and/or the regulatory environment that may affect how they handle ePHI.
When performing a Risk Analysis, entities should review the HIPAA regulations and recommendations from the National Institute of Standards and Technology (NIST). Although federal agencies are the only entities required to comply with NIST, these guidelines act as the industry standard and should be followed by all covered entities.
Generally, a Risk Analysis is performed by the entity’s Security Officer. HIPAA requires each entity to have a designated Security Officer. This designation must be in writing. The designated Security Officer must be familiar with the entity’s operations and competent in Information Technology. In accordance with NIST standards, the Security Officer should take the following steps to create or review the Risk Analysis:
- Determine where the entity’s ePHI is stored;
- Interview management to determine how workforce members utilize ePHI;
- Review access security settings and controls of the information systems;
- Determine the present and potential threats to ePHI;
- Determine the likelihood and impact of current and potential threats and assign them a risk level of high, medium or low;
- Document the Risk Analysis process and attach it to the updated Risk Analysis; and
- Work with management to resolve all threats within a reasonable period, with priority given to issues of higher risk and vulnerability.
Risk Analysis Content
A Risk Analysis shall include the evaluation of administrative, technical and physical safeguards.
Administrative Safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.[1] Administrative safeguards include the following:
- Assigned Security Responsibilities
- Security Management
- Information Access Management
- Business Associate Agreements
- Security Incident Procedures
- Security Awareness and Training
- Workforce Security
- Contingency Plans
- Evaluation
Technical safeguards are defined as “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”[2] Technical safeguards include the following:
- Access Controls
- Audit Controls
- Integrity
- Person or Entity Authentication
- Transmission Security
Physical safeguards are defined as “physical measures, policies, and procedures to protect a covered entity‘s or business associate‘s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”[3] Physical safeguards include the following:
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
The completed Risk Analysis must be maintained for at least six (6) years and should be kept in paper and electronic form.
Risk Analysis vs. Risk Management
Health care entities often confuse Risk Analysis and Risk Management. While a Risk Analysis serves to identify threats and estimate their risks, Risk Management is the process of managing identified risks. Risk Management consists of the development of policies and procedures that dictate how to address identified risks.
Several Risk Analysis Tools exist that entity’s can utilize. However, the Department of Health and Human Services (HHS) encourages entities to seek expert advise when completing a Risk Analysis to ensure that the Risk Analysis is accurate and thorough. Additionally, the National Institute of Standards and Technology (NIST) has produced a series of publications that can assist covered entities with understanding information technology security. Those publications can be viewed by visiting http://csrc.nist.gov/publications/PubsSPs.html.
A proper Risk Analysis is a necessity not only because it is required by HIPAA regulations, but also because it offers the entity the best opportunity to identify and deal with risks associated with the preservation of ePHI. Finally, in the event a covered entity has to answer for a breach of PHI, the failure to produce a proper Risk Analysis could lead to sufficient justification for punitive action by HHS.
[1] 45 CFR 164.304
[2] 45 CFR 164.304
[3] 45 CFR 164.304
The Dunson Group is a health care compliance law firm in Montgomery, Ala., focused on helping health care providers meet regulatory requirements. Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, and regularly contributes articles of special interests to physicians and practice managers.