The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the US’s best-known and wide-ranging regulations. It impacts all covered entities within the health sector and extends to many business associates who work with them. One critical practice for ensuring HIPAA compliance is conducting HIPAA risk assessments.
HIPAA Risk Assessments for Compliance and Cybersecurity
Unlike some other regulatory compliance programs, HIPAA does not require a certification process. Instead, companies need to maintain controls compliant with the three prescriptive HIPAA rules. There are three main kinds of HIPAA risk assessments companies should run:
- A HIPAA security assessment, required for compliance with the Security Rule
- A HIPAA privacy assessment, ensuring ongoing compliance with the Privacy Rule
- A HIPAA breach assessment, seeking out proper Breach Notification Rule protocols
HIPAA Security Assessment 101: Safeguarding All ePHI
First and foremost, companies need to conduct HIPAA risk assessments targeting the HIPAA Security Rule. While the Security Rule is not the first in the framework, it is the most important for risk analysis purposes because it explicitly requires them, with prescriptive guidance provided by the Department of Health and Human Services (HHS).
However, the most impactful security assessment should go above and beyond the analytics prescribed by the HHS in their guide.
HIPAA security assessment needs to account for all requirements detailed in the rule, such as the various safeguards for electronic protected health information (ePHI).
Security Rule Requirements for a HIPAA Risk Assessment
The HHS’s guidance on risk analysis provides specific requirements and responsibilities that should inform a covered entity’s security assessments. In particular, it requires companies to assess internal vulnerabilities, external threats, and the relationships between them. Collectively, these comprise risk factors. The scope of a HIPAA-compliant security risk analysis must include:
- Scope of PHI data – First, companies need to identify all systems and locations that either directly contain or are otherwise connected to any form of PHI.
- Identification of threats and vulnerabilities – Next, companies need to assess for:
- Vulnerabilities, or flaws within systems that security threats can exploit
- Threats, including all potential natural, human, or environmental vectors for harm
- Assessment of applicable security controls – Companies must then identify existing security implementations designed to mitigate all vulnerabilities and the threats that could exploit them.
- Determination of the likelihood of threats – For all identified threats, companies need to calculate the relative likelihood that vulnerabilities may be intentionally or negligently triggered.
- Determination of the likely impact of threats – For all likely threats, companies also need to calculate the potential impact that would occur if a vulnerability is triggered.
- Determination of risk level (likelihood and impact) – Using the previous calculations, companies must generate risk levels that inform protocols to prioritize and address risks.
- Final, formalized documentation of risk factors – Companies need to document all calculations, per Security Rule obligations, although no specific format is required.
- Review and regular updates to risk assessments – Companies must periodically reevaluate their assessment as an ongoing process.
There is no specific tool or solution that companies must use to accomplish these ends. Additionally, assessments may exceed these minimums and cover more robust analytical methods as long as these requirements are met. For example, companies may decide to account for data that isn’t PHI or ePHI but carries similar levels of risk. Or, they may factor in several additional components to their calculation of risk level.
The HHS’s Office for Civil Rights (OCR) provides further guidance on required analyses through the HIPAA Security Risk Assessment (SRA) Tool. HHS has also collaborated with the National Institute for Standards and Technology (NIST) on the NIST HIPAA Security Toolkit Application.
Breakdown of Specific Controls to Assess for HIPAA Security
Risk analysis is far from the only requirement of the Security Rule, nor should it be the only part of a security-focused HIPAA risk assessment. Companies should scan for controls that satisfy all requirements of the rule, including its four primary sub-rules. These are defined as:
- Ensuring confidentiality, integrity, and availability of all ePHI owned or operated.
- Identifying and protecting against all reasonably anticipated threats to ePHI.
- Protecting against any impermissible uses or disclosures, per the Privacy Rule.
- Ensuring compliance with Security and Privacy protections across the workforce.
The Security Rule also breaks down three sets of controls covered entities need to implement:
- Administrative safeguards – Managerial-level controls governing all security systems:
- Security management processes for identifying and addresses risks to ePHI
- Security personnel with designated responsibilities for the protection of ePHI
- Information access management, pertaining to the Privacy Rule (see below)
- Workforce training management and robust cybersecurity awareness training
- Evaluation of all security systems, controls, and behavior at regular intervals
- Physical safeguards – Individual barriers and protections applied in physical spaces:
- Facility access control, restricting all access to authorized parties exclusively
- Workstation and device security, securing individual computers and devices (i.e., endpoints)
- Technical safeguards – Software and programmatic controls governing IT assets:
- Access control, such as identity management, to authenticate all users and govern their authorizations
- Audit controls, including system-wide automated or manual security audits
- Integrity controls to detect any inappropriate changes or deletions of ePHI
- Transmission security controls across all electronic network infrastructure
Assessing compliance risks respective to the Security Rule requires a detailed analysis of all security architecture to ensure that controls meet or exceed the prescribed safeguards. Companies can then work with a cybersecurity program advisor, such as RSI Security, to build out additional controls as needed.
HIPAA Privacy Assessment 101: Controlling Access to PHI
The Security Rule is the only prescriptive HIPAA rule that explicitly requires risk analysis. But the overall aim of the Security Rule’s safeguards is ensuring that ePHI is protected against the categories of unauthorized uses and disclosures defined in the Privacy Rule. So, it follows that companies who need to maintain HIPAA compliance should also assess various Privacy risks.
The most critical objective of a Privacy-focused assessment should be analyzing all ePHI and non-electronic PHI for access control restrictions. The Privacy Rule requires all PHI to be safe from inappropriate use, but it also requires its availability to subjects of the PHI. HIPAA Privacy risk assessments should also account for all third-party activity, per applicable HIPAA definitions of the contractual responsibilities between covered entities and business associates.
Breakdown of Specific Controls to Assess for HIPAA Privacy
The most critical element of the Privacy Rule is its definition of allowed PHI uses and disclosures. In particular, covered entities must make PHI available to the data subjects or representatives thereof upon request. They are also required to disclose any PHI to the HHS if requested as part of a compliance audit or other legal or enforcement-related activity.
Beyond the required cases, permitted uses and disclosures of PHI include the following:
- Any disclosure to or use by the subject of the PHI in question, or their representative, whether requested formally (in writing) or informally (verbally or by clear implication)
- Most uses and disclosures undertaken as part of treatment, payment, or operations necessary for the maintenance of a healthcare organization, such as quality assessment
- Most uses and disclosures to which the subject has been allowed a reasonable opportunity to agree or object, and if the given use or disclosure is determined to be in their best interest
- Individual instances of use or disclosure that are incidental to other authorized instances, such as one small piece of information not requested amongst other, requested pieces
- Most uses or disclosures undertaken in the public interest or for a public benefit purpose, such as fulfilling a legal or law enforcement-related activity or assisting victims of abuse
- Limited uses or disclosures of restricted data sets, such as de-personalized documents, for the purposes of academic or medical research, especially concerning public health outcomes
All permitted uses or disclosures that are not required must be limited to the minimum extent necessary. Covered entities must also notify their clientele about privacy and access policies.
Assessing non-compliance risks across these requirements involves maximal visibility over all files. For example, a file integrity monitoring (FIM) tool or security information and event management (SIEM) solution can help notify internal stakeholders whenever irregular use or disclosure is detected, facilitating mitigation. Another solution to that effect is managed detection and response (MDR).
Privacy Rule Definitions for HIPAA Applicability and Coverage
One final consideration for a HIPAA privacy assessment is covering all ground across all parties who need to comply, whether your company is a covered entity with eligible vendors or a smaller company strategically partnered with a healthcare institution. In particular, there are three primary categories of covered entities who must comply, as defined by the Privacy Rule:
- Healthcare providers, including private practices, larger institutions, pharmacies, etc.
- Health insurance plans and all entities involved in administering or overseeing them.
- Health clearinghouses that interact with, transmit, store, or otherwise process ePHI.
If your company doesn’t fit any of these categories, it may still need to comply with HIPAA if it is a business associate of any company that does. Business associate contracts help ensure that both the covered entity and the business associate will remain compliant throughout their relationship, as both can be held liable for non-compliance.
With respect to HIPAA risk assessment, a helpful consideration for business associates is third party risk management (TPRM), which scans for risks across your network of strategic partners.
HIPAA Breach Assessment 101: Responding to Incidents
Finally, companies should also assess risks related to ongoing adherence to the HIPAA Breach Notification Rule. This rule is unique because what it prescribes are not controls for preventing an attack or incident but reporting on any that occur. Also, the definition of a breach within the rule is unique and arguably counter-intuitive: any instance in which any Privacy or Security requirement is not met may constitute a breach, requiring notice.
Since any minor infringements on Privacy or Security protections can constitute breaches, the assessments above constitute a form of HIPAA breach assessment. However, companies can also assess their readiness to report on a breach with a more in-depth HIPAA breach analysis, accounting for visibility and communication channels necessary to inform parties as required.
Breakdown of Requirements in the Breach Notification Rule
Companies conducting a HIPAA breach analysis or breach readiness analysis need to confirm that they have the infrastructure in place to communicate effectively when a breach occurs. The Breach Notification Rule specifically requires three forms of notification, depending on severity:
- Individual notice – All individuals impacted by a data breach must be notified of the occurrence and the extent of compromised PHI. The notice must be sent through first-class mail (except for parties who have consented to electronic communication) and provided without unreasonable delay and within 60 days of breach discovery.
- Secretary notice – Covered entities must also provide breach notification to the HHS secretary for all breaches that occur. For breaches impacting fewer than 500 individuals, the notice can be sent annually but no later than 60 days after the end of the calendar year; for breaches impacting 500 or more, it must be sent within 60 days of discovery.
- Local media notice – Any breach impacting 500 or more residents of an individual jurisdiction, such as a state, must be reported to a local media outlet within that same jurisdiction. This media notice must come within 60 days of the breach’s discovery.
Ideally, assessments of breach notification readiness should be undertaken prior to a breach occurring. However, companies may also perform HIPAA breach analysis on past instances of attacks, breaks of Privacy or Security protocols, or other relevant incidents.
RSI Security: Rethink HIPAA Compliance Assessments
Maintaining HIPAA compliance is all about protecting PHI and ePHI to the best of your abilities, ensuring that no unauthorized uses or disclosures happen, and swiftly reporting on any breach that does occur.
To ensure that all required security controls are in place, you need to regularly run targeted HIPAA risk assessments based on the three prescriptive rules, as detailed above.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.