Failure to comply with HIPAA safety standards can lead to large fines and, in extreme cases, the loss of medical licenses. One of the most important steps related to HIPAA compliance is a risk assessment.
The Health Insurance Portability and Accountability Act (HIPAA) sets out several guidelines for the adoption of portability and accountability rules regarding patient information. These guidelines stipulate that all medical and hospital services need to protect the personal information of their patients, commonly known as Protected Health Information (PHI).
Failure to comply with HIPAA safety standards can lead to large fines and, in extreme cases, the loss of medical licenses. One of the most important steps related to HIPAA compliance is a risk assessment.
What risk assessment entails
All organizations that handle PHI need to conduct a risk analysis if they wish to comply with HIPAA’s Security Rules and achieve HIPAA compliance.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
But what does this process entail, really? According to the HHS Security Standards Guide, there are nine components that these entities need to include on their risk assessment report:
- Scope of the Analysis: This refers to any risk or hazard that may fall upon PHI, whether it is PHI’s security, integrity or availability, and also affects all devices in which PHI is accessed, stored or maintained, including devices with IoT.
- Data Collection: This refers to the gathering of all information related to PHI, mainly its storage, maintenance, receipt or transmission. If the entity is using an external provider for data hosting, this provider should facilitate a document with a full description of how and where the entity’s data is being stored.
- Identify and Document Potential Threats and Vulnerabilities: This is actually one of the hardest steps of the process as, sometimes, it is similar to looking for a needle in a haystack. However, identifying these potential sources of PHI-related trouble can be key when the time to act comes, should any problem really occur.
- Assess Current Security Measures: This is a listing of the security mechanisms that are already in place – some examples are encryption, multi-factor authentication, and so on.
- Determine the Likelihood of Threat Occurrence: As the name implies, this item focuses on a “prediction” of just how likely threats are, which obviously has to take into account some of the items covered above.
- Determine the Potential Impact of Threat Occurrence: Similar to the previous item, this is another “prediction” on the impact that a PHI-related incident could have.
- Determine the Level of Risk: Per the determination of the HHS, this level of risk can be obtained by averaging the levels predicted in the two previous items.
- Finalize Documentation: While there are not any guidelines regarding the format or exact content of this document, it does need to exist in the written format.
- Periodic Review and Updates to the Risk Assessment: Contrary to common belief, the risk assessment process is not a one-time thing. In fact, HIPAA does require periodical updates to it, and also recommends new risk assessments when new technologies or business operations are implemented.
The many benefits of conducting a risk assessment
Other than the fact that risk assessment is a compulsory part of HIPAA compliance, there are many benefits that arise out of doing it. The first is that it forces entities to completely review their systems, processes, hardware and more – basically the entire infrastructure.
This makes it easy to find weak spots where issues are to be expected, which gives entities a golden opportunity to either fix the problem immediately or to closely monitor it and the way things evolve around it. This also makes it easier to avoid any issues coming from a potential HIPAA audit.
In addition, the fact that risk assessments should be done periodically and whenever there are changes to the infrastructure is yet another advantage, as it allows entities to review all the potential vulnerabilities lying in their systems before a problem occurs, which can mean saving a lot of money from potential fines.
Even though this is a lengthy and potentially expensive process in terms of the man-hours it requires, the benefits of conducting a risk assessment far outweigh the downsides.
Ensuring your company’s risk assessment compliance
There are a number of steps that can be taken in order to ensure that a risk assessment is indeed HIPAA compliant. For example, if the risk assessment will be done in-house, the Office of Civil Rights (OCR) has shortlisted two tools that give companies a framework for this process.
The first one is called the Security Risk Assessment Tool (SRA) and was developed by the Office of the National Coordinator (ONC) for Healthcare Information Technology. SRA brings 156 questions with accompanying questions, which provides valuable assistance for users to understand each question and its context.
Despite the merits of SRA, this tool is designed for small companies and fails to take into the equation some of the specificities and complexities of larger organizations.
The other tool shortlisted by OCR is called the Risk Assessment Toolkit and was developed by a team of Health Information Management Systems Society professionals. This tool comes with a lot of resources, namely a PDF user guide, Excel workbooks with NIST risk analysis references, application, and hardware inventory workbooks, HIPAA Security Rule standards, implementation specifications, and a defined safeguards workbook.
If the risk assessment will be outsourced, try to opt for security specialists who are familiar with healthcare, healthcare technologies and HIPAA. In reality, HIPAA does not specify whether the risk assessment process should be handled by the entities themselves or by external providers, so it really depends on the specific situation of each entity – some even opt for a mixed model, where these assessments are done both internally and externally.
Date: October 03, 2019
Source: MedCity News