Whether your business is directly involved in healthcare or indirectly connected to the industry through trade, there’s a good chance you’ll need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Enforced by the US Department of Health and Human Services (HHS), HIPAA exists to protect the vast amounts of sensitive information stored, shared, and otherwise processed across the industry. Some of the trickier factors you’ll need to account for are the HIPAA risk assessment requirements—read on to learn precisely how to meet them.
How to Conduct a HIPAA Security Risk Analysis
The risk assessment protocols are among the most stringent and challenging elements of HIPAA compliance, especially for smaller businesses newer to the framework. Beyond controlling access to sensitive data, companies also need to scan for and mitigate all threats.
This blog will break down everything you need to know about HIPAA risk analysis, including:
- The general requirements of the Security Rule, of which risk analysis is a part
- The specific definitions, protocol, and provided tools for a HIPAA security risk analysis
- The remaining rules that need to be followed for full HIPAA compliance
By the end of this blog, you’ll have all the knowledge and resources necessary to implement the Security Rule and all of HIPAA to the fullest. But first, let’s cover whether it even applies to you.
Do You Need to Conduct a HIPAA Risk Analysis?
It’s easy to assume that a regulatory framework like HIPAA applies to only a select few kinds of business, such as doctors’ private practices and hospitals. However, the list of covered entities to which HIPAA applies includes all providers, including private practices, group care facilities, and even pharmacies of all types. It also extends to administrators of healthcare plans and what the HHS calls “health clearinghouses,” which translate health data into or out of standard forms.
Even if you’re just a vendor or contractor for one of these entities, HIPAA may still apply to you. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed, extending HIPAA protections to business associates of covered entities. Now, there are special contracts for business associates that guarantee that all parties in the relationship help uphold compliance.
Understanding the HIPAA Security Rule
To fully understand the HIPAA risk assessment requirements, you’ll need to grasp the Security Rule, which contains risk analysis. The Security Rule itself builds upon the Privacy Rule, which we’ll detail below. Its primary function is to extend the protections for all medical and financial records of clients beyond access and disclosure to all reasonable vectors of misuse. It intensifies and expands the scope of all HIPAA protections for this class of data.
This information, defined in the Privacy Rule as “protected health information” (PHI), is what all HIPAA rules and protocols strive to protect. Another major impact of HITECH is the extension of Privacy and Security Rule protections to all electronic PHI (ePHI), beyond just hard copies of files. To that effect, the Security Rule general requirements, safeguards, and risk analysis protocols all apply unilaterally to all PHI and ePHI. Let’s take a closer look at them.
HIPAA Security Rule General Requirements
The HIPAA security risk assessment protocols fit squarely into the “general rules,” or sub-rules, of HIPAA Security. And, per the HHS’s Security Rule Summary, these break down as follows:
- Ensure the confidentiality, integrity, and availability of all PHI and ePHI that covered entities or business associates create, store, transmit, process, or otherwise contact.
- Identify and protect against all reasonably anticipated threats to the security of PHI, instances in which its confidentiality, integrity, or availability would be compromised.
- Identify and protect against all reasonably anticipated threats to the privacy of PHI, defined in the Privacy Rule (see below) as any impermissible uses or disclosures.
- Ensure full compliance with Privacy and Security Rules across the entire workforce.
HIPAA security assessment refers to the second and third of these sub-rules, as it is the primary way in which “reasonably anticipated threats” are identified and prevented.
HIPAA Security Rule Required Safeguards
The other primary controls dictated by the Security Rule, besides the risk assessment protocols, are the categories of safeguards. Per the Security Rule Summary, these break down as follows:
- Administrative safeguards – Five top-level managerial controls for governance:
- Establish security management processes to optimize risk mitigation
- Designate security personnel to oversee security procedures/practices
- Control information access management to monitor and restrict access
- Implement workforce training management to ensure staff awareness
- Evaluate the workforce’s security awareness and practices regularly
- Physical safeguards – Two more tactile controls restricting physical PHI access:
- Control entrance to and access within all facilities containing PHI
- Monitor proximity of all workstations and devices containing PHI
- Technical safeguards – Four advanced controls focusing on technology and software:
- Implement access controls to prevent improper use and disclosure of PHI
- Establish regular audit protocols to gauge HIPAA compliance periodically
- Monitor for the integrity of PHI, ensuring it is not altered or deleted
- Engage in transmission security to guard PHI in transit over networks
These controls set the stage for HIPAA security assessment by reducing the overall potential for risks or vulnerabilities while establishing how the system is supposed to function at a baseline.
Implementing HIPAA Security Risk Analysis
As noted above, security risk analysis or assessment is another critical part of the Security Rule more broadly. Per the Security Rule Summary, its primary objectives are straightforward:
- Evaluating likelihood and potential impact of all threats that could impact PHI
- Implementing appropriate measures to mitigate and eliminate threats to PHI
- Documenting the measures chosen for risk mitigation, along with the rationale
- Maintaining full continuity of all safeguards before, during, and after resolution
The HHS has collaborated with other security experts to develop tools and resources facilitating HIPAA compliant risk assessment. One example is the NIST Security Toolkit, with the National Institute for Standards and Technology (NIST). Another is the Security Risk Assessment Tool (SRA), from The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR). Let’s take a look at what these tools can facilitate.
Vulnerabilities, Threats, and Risks, Per HIPAA
Another critical resource devoted to HIPAA risk assessment is the HHS’s own guidance on risk analysis, which synthesizes and simplifies the specifications from the HIPAA base text and NIST resources. The most essential components to understand are definitions for objects of analysis:
- Vulnerability – Adapted from NIST Special Publication 800-30, vulnerabilities for HIPAA purposes are defined as all flaws within system architecture that can be exploited, either intentionally or accidentally, resulting in a breach of Privacy or Security Rule requirements.
- Threat – Again adapted from SP 800-30, threats for HIPAA purposes are defined as the potential for natural, human, or environmental to exploit or trigger a given vulnerability.
- Risk – Once more adapted from SP 800-30, a risk for HIPAA purposes is defined as a relationship between a threat and vulnerability that determines likelihood and impact.
Vulnerabilities and threats are variables in and of themselves, whereas risk measures the dynamic relationship between them and other factors. Accounting for all three indicators of a breach, companies should take heed and code each separately to address it accordingly.
Seven Steps for HIPAA Security Risk Analysis
The HHS does not require any particular methodology to assess risk, but it provides an easily adaptable template. Per the risk assessment guidance, its steps break down as follows:
- Collection of relevant data – The covered entity begins by amassing data on all PHI stored, used, transmitted, processed, and otherwise in contact with company resources.
- Identification of vulnerabilities – Next, the covered entity should identify all potential weaknesses at the sites of PHI, including vectors for accidental and malicious misuse.
- Assessment of security measures – Then, companies should identify and analyze the methods being used to mitigate and minimize all these and all potential vulnerabilities.
- Determination of threat likelihood – In the first determination stage, the covered entity should establish a probability scale and assign relative ratings to all possible threats.
- Determination of threat impact – In the second determination stage, the covered entity should also assign a corresponding scale for the severity of threats, once activated.
- Determination of risk level – Based on the findings in the prior two conclusions, the covered entity can assign a risk rating (likelihood and impact) to all vulnerabilities and threats.
- Final documentation – Finally, the covered entity must produce a report on its findings. The HHS doesn’t prescribe a specific format, but HIPAA requires a detailed report.
While the last step above suggests closure, the HHS is also careful to note that risk assessment should continue. Rather than closing the loop after one sweep, companies should periodically review assessments and update findings with new threats, vulnerabilities, and risks.
Following the Rest of the HIPAA Framework
As comprehensive as the protocols for HIPAA risk analysis and the broader Security Rule are, there is still more companies need to do to maintain full compliance. To avoid the penalties that the Enforcement Rule specifies, companies also need to abide by the Privacy Rule, as noted above, and the Breach Notification Rule. Before taking a look at those, it can be helpful to appreciate what the costs of non-compliance are and how the enforcement process works.
Overall, HIPAA Enforcement begins with an intake and review by the OCR. If violations of the Privacy or Security Rules (or failure to report on them) includes criminal activity, HHS may involve the US Department of Justice (DOJ). After a thorough investigation, HHS OCR may assess civil money penalties of up to $59 thousand dollars per occurrence (about $1.7 million dollars max, per year). The DOJ may bring criminal charges up to 10 years’ imprisonment.
HIPAA Privacy Rule: Overview and Requirements
The Privacy Rule is the original basis for all of HIPAA. Its definition of PHI determines Security protections, including the risk analysis protocols detailed above. Per the Privacy Rule Summary, its primary focuses are on restricting use and disclosure of PHI, per the following parameters:
- Permitted uses and disclosures – Covered entities may only use or disclose PHI in one of the following cases unless requested by the subject thereof of or legally required:
- When the use is by, or the disclosure is to the subject of the PHI.
- For operations directly related to treatment, payment, and healthcare.
- When the subject is given a reasonable opportunity to object or consent.
- When one given instance of use is incidental to other (permitted) uses.
- When the use or disclosure is for a public benefit project or public interest.
- When the use or disclosure is of a limited data set for approved research.
- Minimum necessary disclosure – Covered entities must also limit even authorized uses and disclosures to the minimum necessary extent except in the case of required uses.
Certain use or disclosure cases are required rather than just permitted. These include disclosure to the subjects and to select government agencies.
HIPAA Breach Notification Rule: Requirements
Finally, the Breach Notification Rule differs from both the Privacy and Security Rules in that it does not factor in any controls to prevent attacks or leaks from happening. Instead, it specifies special protocols for reporting on breaches when they do occur. A breach is defined as any instance in which the Privacy or Security Rule has been broken and PHI is exposed to (possible) misuse.
Should that breakage occur, there are several levels of breach reporting a covered entity must set in motion. Firstly, companies need to address all stakeholders impacted by the breach in question no later than 60 days after the breach’s discovery. If the violation affects 500 or more people within a given location, notice must be provided to media outlets within the area. Finally, all breaches must also be reported to the HHS Secretary immediately if they impact 500 or more people or within 60 days of the end of the calendar year for breaches that affected fewer.
Professional HIPAA Compliance and Security
Implementing all required elements of the Privacy, Security, and Breach Notification Rules to avoid the penalties of non-compliance can be challenging for all companies. The HIPAA risk assessment requirements, in particular, can be especially burdensome for smaller companies with fewer dedicated IT and cybersecurity resources. RSI Security is happy to help with robust HIPAA compliance advisory services. To see just how easy HIPAA can be, get in touch today!