The Security Rule ensures the confidentiality, integrity, and availability of protected health information (PHI). And HIPAA security risk assessments are one crucial part of Security Rule compliance, along with other administrative, technical, and physical safeguards.
If you’re seeking assistance with HIPAA compliance, schedule a free consultation today.
HIPAA Risk Assessment and Management 101
The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to safeguard protected health information (PHI) against unauthorized access. The Privacy Rule identifies conditions under which it can be accessed, and the Security Rule establishes two primary measures for ensuring those conditions are met. Namely, they are:
- HIPAA risk assessment, identifying potential risks to inform mitigation
- HIPAA risk management, including implementing preventive controls
The best way to meet these requirements and ensure HIPAA compliance is to work with a compliance advisor who will help you scope, implement, and maintain your risk management.
HIPAA Security Risk Assessment
The main purpose of the Security Rule is to ensure the confidentiality, integrity, and availability of PHI. The Department of Health and Human Services (HHS) requires organizations to prevent PHI from being accessed inappropriately, changed or deleted without authorization, or otherwise rendered unavailable for authorized uses (e.g., uses or disclosures requested by its subject).
In particular, the Security Rule requires an analysis procedure that:
- Evaluates the likelihood and potential impact of risks
- Implements measures to prevent risks from materializing
- Document the measures taken and their applicable rationale
- Maintain up-to-date and appropriate protections continuously
The HHS makes two HIPAA risk assessment tools available: a HealthIT.gov assessment tool and a toolkit jointly developed with the National Institute for Standards and Technology (NIST).
Request a Consultation
The HIPAA Risk Assessment Process
The HHS does not provide further specific HIPAA risk assessment requirements, as the Security Rule is intended to be flexible and give organizations options for mitigating risk. However, it does sketch out some general phases that all HIPAA risk assessments should cover:
- Collection of Data – Document all hardware, software, and networks where PHI is stored, transmitted, and processed, along with individuals who have access to them.
- Identification of Threats and Vulnerabilities – Establish weaknesses (vulnerabilities) that could be exploited by attacks and the potential sources of said incidents (threats).
- Assessment of Security Measures – Document protections in place to segment PHI from other IT assets, monitor and log access and changes, and quarantine attacks.
- Determination of Incident Likelihood – Calculate how likely it is that a threat such as a cyberattack, negligent or malicious error, or environmental hazard would impact PHI.
- Determination of Potential Impact – Calculate how much PHI would be impacted if such an event were to occur, whether persons’ identities could be recognized, etc.
- Identification of Risk – Assign a risk level based on the likelihood and potential impact, designating “high” risk vulnerabilities and threats to prioritize and address immediately.
Critically, HIPAA risk analysis needs to be long-term and ongoing. Rather than a fixed, finite process, it should be cyclical and dynamic. That includes frequent assessments, along with meta-analysis of your assessment methods to ensure that they meet your security objectives.
HIPAA Risk Management Requirements
Beyond HIPAA assessments, the Security Rule also requires the management of any risks identified. Organizations need to take proactive steps to eliminate vulnerabilities, neutralize threats, and generally make risks less likely to impact PHI. This applies to all HIPAA Covered Entities, which include healthcare providers, plan administrators, and clearinghouses. They also apply, by extension, to Covered Entities’ Business Associates, irrespective of their industries.
As with the assessment process, the HHS does not specify particular controls or means to meet the stated purposes. Instead, it allows for flexible architecture implementation, provided that the controls selected cover the basic requirements of three kinds of safeguards—
Required Administrative Safeguards
Covered Entities should install top-down security governance measures, including:
- Security Management Process – Organizations need to devise clear policies for all elements of PHI security, including HIPAA assessments, and make them available.
- Defined Security Personnel – Select individuals need to be assigned administrative roles for safeguarding PHI, with responsibilities and sensibilities clearly documented.
- Information Access Management – Policies and procedures for identity and access management (IAM) should be laid out and understood by anyone with access to PHI.
- Workforce Security Training – All personnel need to be educated about the security requirements and threat environment surrounding PHI, reinforced through training.
- Security Evaluation – Security policies need to be assessed and updated regularly.
These protections integrate the insights from HIPAA risk analysis into all elements of security.
Required Physical Safeguards
Covered Entities also need physical restrictions in place, such as:
- Facility Access and Control – Covered Entities should use physical barriers and other means to limit individuals’ proximal access to devices and facilities containing PHI.
- Individual Device Security – Physical media with access to PHI need to be tightly controlled throughout their lifecycles, up to and including safe disposal or destruction.
These controls secure devices connected to PHI and the environments that house them.
Required Technical Safeguards
Software and application-level requirements for HIPAA Security include:
- Technical Access Controls – Covered Entities should install IAM protections on all software and applications, such as multi-factor authentication (MFA), to limit access.
- Security Auditing – All use of and behavior in software and applications on systems connected to PHI need to be monitored, with the ability to suspend access if needed.
- Integrity Controls – Covered Entities should install monitoring infrastructure to identify, log, and analyze any changes to PHI and related files, investigating any anomalies.
- Secure Transmissions – Special protections should be installed to monitor any traffic of or concerning PHI, especially in connection with unsecured or unrecognized networks.
These protections build upon the governance safeguards above, ensuring security across all software involved in PHI storage, transmission, or processing. They’re essential to compliance.
Other HIPAA Compliance Considerations
The Privacy and Security Rules are two of the three prescriptive Rules in the framework. The other is the Breach Notification Rule, which requires Covered Entities to provide notice to all impacted parties when a breach occurs. The Secretary of the HHS must also be notified in all cases. And, in the event of a breach impacting 500 or more people, local media must also be contacted. Any violation of the Privacy or Security Rules could constitute a breach.
Further, any violation of the Privacy, Security, or Breach Notification Rules could trigger HIPAA Enforcement. Potential violations are investigated by the Office for Civil Rights (OCR) and potentially the Department of Justice (DOJ). They could result in Civil Monetary Penalties approaching $2 million annually and up to 10 years in jail for individual stakeholders.
HIPAA compliance does not require regular verification through audits or assessments, as many other regulations do. However, it’s in organizations’ best interest to generate assurance of their compliance regularly. One method is HITRUST Certification. The HITRUST CSF is an omnibus framework that includes protections to meet HIPAA and other regulations’ requirements.
HITRUST allows for streamlined implementation, so you can “assess once, report many.”
If your organization needs to meet several regulatory requirements, including HIPAA, consider meeting with a HITRUST advisor to minimize overlap and maximize your cyberdefense ROI.
Optimize Your HIPAA Compliance Today!
HIPAA compliance is required for most organizations in and adjacent to healthcare. HIPAA assessments and risk management are critical to protecting PHI and avoiding the costly penalties of non-compliance, especially when working with a dedicated HIPAA advisor.
At RSI Security, we believe that the right way is the only way to ensure PHI and other forms of sensitive data are safe. We’ll work with your internal team to strategize, implement, and assess security protections for HIPAA compliance and cyberdefense. We’re committed to your security.
To optimize your HIPAA security risk assessment and management practices, get in touch!