How to Perform a HIPAA Risk Assessment to Stay Compliant?

The HHS Office of Civil Rights (OCR) provides direction to healthcare entities to implement safeguards for the privacy and security of patients’ protected health information (ePHI) and ensure HIPAA compliance. However, the first crucial step in this direction is to conduct a HIPAA risk assessment, which identifies critical risks and security loopholes.

Risk assessment helps healthcare entities identify critical vulnerabilities, external threats, strengthen their controls, ward off breaches, leaks, and loss of business and even keep bad PR at bay.

TL;DR

HIPAA risk assessment helps to protect the confidentiality, integrity, and availability of PHI.

3 types of HIPAA risk assessments include security risk assessments, privacy risk assessments, and breach risk assessment.

To conduct a risk assessment, identify where data is stored, identify threats and vulnerabilities, evaluate the likeliness of threat recurrence, document the mitigation measures, and periodically review the risk assessment

What is HIPAA Risk Assessment?

HIPAA risk assessment helps organizations pinpoint security gaps impacting the confidentiality, integrity and availability of Protected Health Information (PHI). It also helps health care providers ensure compliance with HIPAA security rule and HIPAA privacy rule by assessing the effectiveness of physical, technical and administrative safeguards. This helps covered entities proactively identify, prioritize, mitigate, manage, and remediate security breaches.

In the words of Stephane, Nappo, “Even the bravest cyber defense will experience defeat when weaknesses are neglected”

The risks and vulnerabilities identified can impact the confidentiality and integrity of the electronic PHI (ePHI) in your environment.

• Covered entities such as healthcare providers (doctors, hospitals, clinics etc.), health plans, and healthcare clearinghouses that directly deal with sensitive patient health information must conduct HIPAA assessments.
• Business associates that provide services to covered entities such as medical billing companies, claim processors etc. indirectly deal with or use ePHI. Hence, they are required to comply with HIPAA regulations and carry out regular assessments.
• HIPAA assessments must be conducted annually; when new technology or significant changes get introduced, such as upgrades in your health information technology systems and process.

Why is HIPAA Risk Assessment important?

HIPAA risk assessment is important because it forms the basis for identifying and implementing safeguards that comply with the HIPAA Security Rule standards. It’s a mandatory HIPAA requirement and can attract fines from the Office for Civil Rights (OCR) for noncompliance; penalties can range from $100 to $50,000 per violation up to a maximum of $1.5 million per year for each violation.

Here are some of the outcomes that get decided based on the security risk assessment (SRA):

While risk assessment is foundational to the HIPAA Security Rule, it doesn’t prescribe a specific methodology to go about it. Instead, it establishes several objectives you must achieve, no matter the assessment methodology. 

The outcome of HIPAA annual risk assessment should help organizations assess whether an implementation specification or an equivalent measure is reasonable and appropriate.

Read about how Neurosynaptic got HIPAA audit-ready in 2 weeks with Sprinto’s integrated compliance automation platform.

Types of HIPAA risk assessment

HIPAA advocates for various types of risk assessments to ensure airtight security of ePHI and address all concerning risks. Health-tech businesses must perform all of these HIPAA annual risk assessments as each has its specific objective and protection focus.

Broadly there are 3 types of HIPAA risk assessments:

HIPAA security risk assessments

The HIPAA Security Rule stipulates the need to test the effectiveness of implemented safeguards for staying on top of risks and vulnerabilities to PHI. As such, the HIPAA security risk assessments require you to ensure:

• Confidentiality, integrity and availability of sensitive health information by evaluating various risks such as inadequate access controls, unencrypted data and system security vulnerabilities among others.

What is the role of business associate agreements?

The business associate agreements must communicate expectations of compliance with Security rule. Business associates must also report any incidents of data breach to covered entities for transparency and accountability.

HIPAA privacy risk assessments

HIPAA privacy rule risk assessments assess the flow of PHI across systems and networks both internally and externally to identify potential risks to a patient’s data privacy.

What is the role of a privacy officer in privacy risk assessments?

Depending on the size and complexity of the organization, a Privacy officer can be appointed to:

• Ensure adherence to HIPAA privacy rule and develop a privacy compliance program
• Identify security gaps which can expose the PHI to unauthorized individuals
• Monitor employee activities and arrange for workforce training
• Strive for continuous improvement

HIPAA breach risk assessments

HIPAA breach risk assessments are conducted at the time of a data breach whenever a patient’s health information is compromised. The objective is to assess the severity and impact of associated risks and initiate measures for improvement. 

However, if an organization does not perform a breach risk assessment in certain instances, it must notify affected individuals about unauthorized access or impermissible disclosure.

The best advice is to not skip these assessments and avoid regulatory scrutiny resulting from data breaches. 

How to conduct a HIPAA Risk Assessment: Eight steps

HIPAA mandates that covered entities and their business associates perform regular risk assessments to identify vulnerabilities, manage breaches, and mitigate potential risks to ePHI.

Here’s an 8-step HIPAA risk assessment guide you can use to help you through the process:

1. Understand the scope of risk assessment

Therefore, the scope of your organization’s security risk assessment must take into account all of its e-PHI, regardless of the electronic medium or the location of ePHI. 

2. Know your Data

You must identify where identifiable health information is stored, received, maintained or transmitted in your organization. You could review the organization’s past and existing projects, perform interviews, review documentation, and use other data-gathering techniques to gather all information needed for risk assessment. The data on ePHI that’s gathered must get documented.

How should you evaluate the data around e-PHI?

The Department of Health and Human Services (HHS) offers examples of questions organizations must ask at this stage:

• Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
• What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?

Note: The amount of effort and commitment required to identify data across your electronic and non-electronic systems would largely depend on a) the volume of data you process and b) the complexity of your IT infrastructure. 

For example, suppose a small organization with mostly non-automated processes uses paper to store its medical data. In that case, it might be able to identify all sources of information by auditing one department. Compare this to larger entities, which usually depend on multiple endpoint devices, information systems, and physical locations to store data. 

How Sprinto helped Kodif step up towards enterprise-readiness with compliance

3. Identify and Document Potential Threats and Vulnerabilities

Once you know where your data is stored, identify and document the potential threats to ePHI. What are the human, natural, and environmental threats to information systems that contain e-PHI? You must also determine the different threats that are unique to your environment.

HIPAA makes a clear distinction between threats and vulnerabilities. 

It defines vulnerabilities as a flaw or weakness in the design, implementation, or controls that could be triggered by accident or exploited on purpose, resulting in a security breach. Threats are defined as the potential for an individual to exploit those vulnerabilities. 

Due to this distinction, you must document threats and vulnerabilities separately. 

How do we document threats as per HIPAA?

To document threats, follow these processes:

• Identify and compile all threats based on their categorisation (human, natural, and environmental).
• Once identified, right size the list by keeping only the reasonably anticipated threats. Do this by filtering out threats that are of low or no risk. For example, if your business is located in an earthquake free zone, there is no risk of natural threats. 
• Analyze multiple information sources like history of internal data theft, policy violation reports, staff that handles ePHI, and inputs from system admins to identify human threats. 

How to document vulnerabilities under HIPAA?

To document vulnerabilities, you should:

If you are a small entity whose information systems are handled by third parties or business associates can communicate with them to identify vulnerabilities.

Identify technical and non-technical vulnerabilities in your information systems 

Some good sources to look into include results of risk assessment conducted on information systems, system security test results, and vulnerability lists available publicly. 

4. Assess Current Security Measures 

The next step is to ascertain the effectiveness of your existing security measures to protect ePHI and evaluate whether they are appropriate and effective; if yes, assess whether they are configured and used correctly. These safeguard measures will vary depending on the size and complexity of the organization and can be both technical and nontechnical. 

Technical measures access controls, authentication, data encryption, automatic session timeout, and audit controls. Non-technical measures include security policies, guidelines, operational controls, and physical security measures. 

Don’t forget to document the measures you have already implemented, including your assessment. The documentation should identify if security measures required by the HIPAA Security Rule as implemented and the controls are correctly configured. Sprinto’s continuous compliance monitoring capabilities will help you stay on top of security and compliance. The implemented controls are monitored at a granular level and automated alerts are raised for any drifts. The pending controls that must be implemented are highlighted on the health dashboard to give you a quick snapshot of remaining work. See Sprinto in action.

5. Determine the likelihood of threat occurrence and its potential impact

Next, determine the likelihood of occurrence for each identified threat and vulnerability. You could label the possibility of occurrence as high, moderate, or low or assign numbers (1,2 and 3). 

Next, determine the potential impact (qualitatively and/or quantitatively) on the confidentiality, integrity, and availability of ePHI if such a threat or vulnerability were to occur. For instance, it could be unauthorized access, loss of data, and more.

How to rate risks according to likelihood?

You can use a scale of impact level (low/medium/high) to rate the risks. 

• High likelihood means that the threat can exploit multiple vulnerabilities. This happens when there are several deficiencies.
• Medium likelihood means that the threat can impact one or more vulnerabilities due to one deficiency. 
• Low likelihood means that a single vulnerability can be exploited due to a single deficiency.

The output of this step should be detailed documentation of the likelihood of a threat occurrence and its potential impact on the ePHI. 

6. Determine the Level of Risk and Corrective Actions

The next step is to assign risk levels for all the threat and vulnerability combinations. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and the resulting impact of threat occurrence.

The HHS suggests that you could determine the risk levels based on the average of the assigned likelihood and impact levels. You must now identify the potential security measures that you can implement to reduce each risk to a reasonable level.

Security measures include organization policies, procedural requirements, and specific technical safeguards such as encryption, data backup, and more. 

The impact evaluation method can be qualitative or quantitative. You should consider the pros and cons of each method for determining the impact or use a combination of both as you see fit. 

The qualitative method uses a scale of low to high while the qualitative method uses a numerical scale to evaluate the cost of resources.

As is the outcome for each step, documentation of the assigned risk levels and a list of corrective actions you must take to mitigate each risk level is necessary. 

Sprinto has a risk-scoring module with details on impact, likelihood, inherent risk, residual risk and other details along with risk response recommendations to help you navigate these intricacies.

7. Finalize Documentation 

HIPAA places much emphasis on maintaining documentation. So, ensure you document your HIPAA assessment process diligently at every step. The documentation is evidence that you executed the HIPAA risk assessments in all earnest and may stand you in good stead in the event of a breach or a regulatory oversight that shows up in an OCR-led audit of your HIPAA privacy risk and HIPAA security risk compliance.

‘Good faith efforts’ are seen in a good light by the OCR. 

What should your documentation for HIPAA risk assessment include?

Your documentation should include:

• Security measures that can minimize the identified risks to an acceptable level
• Potential security measures that can minimize risks to ePHI
• The risk analysis process that includes the result of each step and identifies security measures

Note: While documentation is compulsory, there is no specific format.

How Sprinto can help here:

Sprinto collects evidence automatically against each corrective action and control to make it easier for the auditor to understand context. The evidence is presented on an independent dashboard for easy collaboration and minimizing time taken for audits.

8. Periodic Review and Updates to the Risk Assessment

The HIPAA security risk analysis process isn’t a ‘one-and-done’ event. While the Security Rules don’t specify the number, risk assessments should be conducted at least once a year or following significant organizational changes, such as the addition of new technologies or business operations, or even a security incident.

For instance, if your covered entity experiences a breach or sees a change in ownership, you must adjust your risk weights and deploy security measures accordingly to ensure ePHI remains protected. If the analysis shows insufficient protection against the newly-added risks, you must implement additional security safeguards in time. 

For a detailed overview, look up HIPAA’s guidelines on the risk assessment tool. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule.

Also check out: How to become HIPAA certified

Automate your HIPAA Risk Assessment with Sprinto

As you would have noticed by now, HIPAA security rule risk assessment is pretty detailed. Lapses in your risk assessment can snowball into breaches and huge penalties if left uncorrected. And that you have to do this assessment each year with the same diligence, if not more, can be overwhelming. 

Sprinto’s compliance automation platform streamlines HIPAA risk management by facilitating the roll out of pre-built HIPAA policies across the organization, enabling scheduled security training, and automating routine security checks and risk assessment activities. You can also capture all the evidence you need without having to sieve through multiple locations. This means your HIPAA implementation is done in weeks rather than months.

Talk to us today to learn more about how Sprinto can help you kickstart your HIPAA compliance journey.

FAQs

How often should you conduct a HIPAA risk assessment?

You should conduct a HIPAA risk assessment at least once a year. It is recommended to re-evaluate your risk stats whenever new technologies are implemented, business operations undergo significant changes, the IT infrastructure undergoes significant updates, if new regulations are added, and whenever an incident occurs. 

What are the core elements of HIPAA risk assessment?

The core elements of HIPAA risk assessment include identifying potential threats and vulnerabilities that affect the confidentiality, integrity, and availability of ePHI, evaluating the likelihood and impact of risks to PHI, implementing security measures to mitigate risks, and continuously monitoring and updating the risk management plan.

What is the difference between HIPAA risk assessment and HIPAA compliance assessment?

HIPAA risk assessments are focused on identifying potential vulnerabilities affecting ePHI. HIPAA compliance assessments on the other hand evaluate the adherence to HIPAA rules such as HIPAA security rule, HIPAA breach notification rule etc. While the former is an ongoing exercise, the latter is conducted periodically.

Who is responsible for conducting HIPAA risk assessments?

HIPAA risk assessments are the responsibility of HIPAA compliance officers or other compliance officials. In certain instances, organizations may appoint third-party experts for the risk assessment exercise.

Does HIPAA require security risk analysis?

The Security Rule requires covered entities and business associates to undergo risk assessments to determine the risks and vulnerabilities that can impact the confidentiality, integrity and availability of electronic PHI (ePHI) in their environment.  An understanding of the security rules will help you here.

What is HIPAA risk management?

The HIPAA risk management process constitutes the correction action and additional safeguards and security measures that organizations undertake following a thorough HIPAA security risk analysis. Risk management dynamically manages the risks to ePHI while ensuring no HIPAA rule is unmet.