The steps required for a risk analysis

Risk analysis includes identifying where ePHI is created, received, maintained, or transmitted. Organizations can discover potential risks to their systems and the appropriate measures to mitigate threats by assessing external and internal elements.

What is a risk analysis?

The risk analysis is a foundational step in compliance with the standards of the HIPAA Security Rule. Section 164.308(a)(1) of the rule provides that healthcare organizations are required to, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

Conducting a risk analysis is one of four required implementation specifications for the Security Management Process. The analysis is a method of benchmarking the organization's security posture and assessing the adequacy of operational and environmental capabilities. 

The stages of a risk analysis 

Identification of an ePHI

The process begins with an inventory of all information systems, applications, and devices that handle ePHI. It looks at databases, email systems, mobile devices, and backup systems. Organizations must map the data lifecycle, documenting where ePHI is generated, stored, accessed, and transmitted. 

External sources like vendors and consultants are also assessed to interpret the ePHI they handle on behalf of the organization. The assessment of business associates involves: 

• An evaluation of the safeguards in place and implemented to secure ePHI.
• Confirmation of their ability to notify the covered entity and required individuals in case of a breach. 
• A review of their history in terms of security incidents or breaches and how they handled them. 
• The confirmation of the validity of the BAA and if the terms of the BAA are upheld.
• The assessment of the validity of third party certifications or previous risk assessments they have undergone.

Risk and vulnerability assessment

After taking inventory of the ePHI and its storage or transmission points, assessing these entry points is the next step. Methods like data mapping and network analysis help trace the flow of ePHI across systems. It assists in identifying vulnerabilities in hardware, software, or workflows. Vulnerability scanning and penetration testing are also useful tools for uncovering weaknesses in their IT infrastructure. 

As operations are driven by staff, this step also involves the adequacy of human threats to the organization. This involves the assessment of employee access to ePHI, the efficacy of training programs, and testing for insider misuse of ePHI. Equally necessary is assessing the preparedness for natural (like floods or hurricanes that could cause systems to crash) or environmental threats (like system failures) identified through physical inspections of the facility and reviewing maintenance protocols.

Evaluation of security measures

Organizations should evaluate their existing administrative, physical, and technical safeguards by assessing each category against the Security Rule standards. 

• Administrative safeguards like security policies and workforce training should be reviewed to ensure they are current. 
• Physical safeguards like access controls to equipment and facilities should be checked for adequacy in preventing unauthorized physical access or environmental danger.
• Technical safeguards like encryption should be assessed for their ability to protect ePHI from cyber threats. 

Related: What are administrative, physical and technical safeguards?

Documentation and reporting

Organizations should use documentation to justify their risk analysis conclusions and the selected security measures by clearly outlining the rationale behind their decisions. It includes recording the identified risks, vulnerabilities, and threats to ePHI and the method used to assess them. Organizations should document how they determined certain safeguards were “reasonable and appropriate” based on their specific operational environment. 

The steps include: 

• Document the identified risks, vulnerabilities, and threats to ePHI. Record the methods used to assess risks and determine their severity. 
• Justify the chosen security measures based on the organization's specific needs.
• Explain any decisions to exclude or modify recommended safeguards. 
• Note how each safeguard addresses the confidentiality, integrity, and availability of ePHI. 
• Keep records of any risk mitigation strategies or corrective actions taken. 

The tools and resources available to healthcare organizations 

According to the NIST Security Content Automation Protocol, “The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment.”

One of the primary resources is the NIST HIPAA Security Toolkit developed by the National Institute of Standards and Technology (NIST). The toolkit provides guidelines for conducting a thorough risk analysis making it a necessary tool for both large and small healthcare organizations. 

The HIPAA SRA Tool developed by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) is another valuable resource. The SRA Tool is particularly beneficial for small to medium healthcare practices as it simplifies the process of evaluating risks to ePHI and provides them with a step-by-step guide.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is the difference between addressable and required implementations? 

Required implementations are mandatory measures that an organization must implement for the protection of ePHI. These are nonnegotiable while addressable implementations offer more flexibility as organizations have the option of choosing alternative approaches. 

What is the justification for choosing not to implement addressable implementations?

The justification for not implementing addressable measures should be based on the implementation being considered unnecessary based on the organization's risk analysis. The reason for this could include the objective of the implementation not falling under the organization's purview or the organization being too small for the implementation of excessive measures.

What are risk management policies?

They are a set of guidelines and procedures that an organization uses to identify, assess, and monitor risks to information systems.