Organizations in and around healthcare can streamline risk assessments in five easy steps:
- Understanding which regulations apply (i.e., HIPAA, HITRUST, etc.)
- Scoping out what information and systems need to be assessed
- Preparing for other niche assessments in the event of a breach
- Implementing controls from the HITRUST CSF to cover their needs
- Conducting an official HITRUST assessment for broad compliance
Step 1: Determining Regulatory Eligibility
The first thing you’ll need to do is figure out whether you even need to perform regular risk assessments as part of your compliance program. To start with, the Health Insurance Portability and Accountability Act (HIPAA) applies both to covered entities in healthcare (i.e., providers, plan administrators, and clearinghouses) and select business associates (i.e., third parties).
In practice, if your organization is directly involved in healthcare, you almost certainly need to comply. And if you’re a B2B service provider who works closely with organizations in the field, you might also need to comply. One big indicator is if you collect, process, or come into contact with protected health information (PHI). If so, you probably need to conduct HIPAA risk analysis.
Step 2: Scoping HIPAA Security Risk Assessments
Assessing risk regularly is part of a covered entity’s obligations under the HIPAA Security Rule. The scope for such an assessment is all PHI and electronic PHI (ePHI) within an organization’s purview—every location it exists within, every system it touches, and every point of access.
Organizations need to account for vulnerabilities and threats that could compromise the confidentiality, integrity, or availability of PHI. Vulnerabilities are weaknesses in IT deployment, and threats are vectors and actors that could exploit them. Together, these variables are used to calculate risk, or the likelihood and potential impact of an incident to the security of PHI.
Risk is expressed numerically and used to rank and prioritize risks for mitigation.
In terms of what procedures the analysis itself must actually include, the Department of Health and Human Services (HHS) gives covered entities freedom in designing their programs. But there is guidance on risk analysis, including a security risk assessment (SRA) tool, available.
Step 3: Understanding HIPAA Breach Risk Assessments
Another kind of risk analysis covered entities need to be aware of is the HIPAA breach risk assessment, which is performed when a breach or suspected breach has occurred.
Technically, a breach is defined as any use or disclosure of PHI that the Privacy Rule does not explicitly allow for. If one of these happens, the covered entity must perform a four-factor analysis to determine the probability that PHI has been compromised. The factors include:
- What kind of PHI was breached, including whether and how identifiable it is
- The parties responsible for the use or to whom the disclosure was made
- Whether PHI that was breached was in fact viewed or acquired
- The extent to which any risks of compromise have been mitigated
If the results of this analysis indicate that the risk of compromise is moderate or higher, they must provide breach notification to the HHS and all impacted individuals. If 500 or more people are impacted, the covered entity must also provide notice to a local media outlet servicing them.
Step 4: Implementing Select HITRUST CSF Controls
Once you’re fully aware of your risk assessment obligations, it’s time to start implementing controls and processes to help you meet them. This is where HITRUST comes in. Born out of healthcare compliance but now applicable to any organization in any field, the HITRUST CSF is a security framework that covers HIPAA and other regulatory compliance needs simultaneously.
The HITRUST CSF has hundreds of controls and thousands of specifications customizable to any matrix of regulatory needs; there are even “Level HIPAA” specifications for various controls within the framework. For risk assessments specifically, covered entities should focus on Control Category 03 (Risk Management) and 06 (Compliance) to ensure all their bases are covered.
Step 5: Conducting Certified HITRUST Assessments
Finally, you’ll need to actually conduct an assessment—or multiple—to satisfy your HIPAA security risk analysis requirements. One of the best ways to do this is conducting a HITRUST assessment to lock in certification and compliance across multiple regulations long-term.
At present, there are three types of HITRUST assessments available:
- HITRUST e1 Foundational Cybersecurity assessments provide fundamental security assurance and compliance with select regulations (i.e., HIPAA ) for up to one year.
- HITRUST i1 Leading Security Practices assessments provide greater security assurance and compliance with participating regulatory compliance authorities for up to one year.
- HITRUST r2 Expanded Practices assessments provide the highest level of security assurance and compliance with participating regulatory authorities for up to two years.
Whichever option your organization chooses, getting HITRUST certified will allow you to “assess once, report many,” reducing the overall compliance burden across all regulations.
Optimize Your HIPAA Risk Assessments Today
For organizations in and adjacent to healthcare, risk analysis is one of the most critical parts of HIPAA compliance. You’ll need to account for all risks to PHI on a regular basis and plan for breach risk assessments if a cybersecurity incident occurs. To that effect, implementing the HITRUST CSF controls and achieving certification is the best way to streamline the process.
RSI Security has helped countless organizations rethink their HIPAA compliance. We believe discipline now unlocks greater freedom later; we’ll help you keep your team secure long-term.
To learn more about our HIPAA and risk assessment services, contact RSI Security today!