Organizations both in and adjacent to healthcare need to test for and address risks to patient data as a central part of HIPAA compliance. Best practices like careful scoping, reducing the attack surface, and leveraging available resources can help any covered entity be compliant.
Is your organization prepared for a HIPAA assessment? Schedule a consultation to find out!
Optimize Your HIPAA Security Risk Assessments
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), governed by The Department of Health and Human Services (HHS), is one of the most far-reaching regulatory frameworks in the US. One of its most challenging requirements is ongoing risk assessments.
Some best practices for implementing HIPAA-compliant analyses efficiently include:
- Understanding what risks are most critical with respect to HIPAA
- Minimizing the attack surface and the likelihood of risks surfacing
- Utilizing the HHS’s and other agencies’ resources for risk reporting
- Streamlining implementation with HIPAA and other regulations
Above all else, going at it alone should be avoided. Working with a HIPAA advisor to implement, assess, and optimize your compliance is the best way to get the most out of these techniques.
Understanding Risks to PHI
The risk assessment requirement falls under HIPAA’s Security Rule, but the kinds of risks that need to be assessed relate primarily to Privacy Rule definitions. Namely, covered entities (i.e., providers, plan administrators, and clearinghouses) and their business associates (i.e., select lawyers, accountants, contractors, and third parties) need to monitor for risks of unauthorized access to protected health information (PHI). Per the Privacy Rule, PHI includes identifiable records related to patients’ medical history (i.e., treatment and conditions) and related bills.
Such documents need to be stored and protected in such a way that they are readily available to patients (and law enforcement) upon request but otherwise inaccessible. Beyond exceptions in the form of Permitted and Required Uses, PHI needs to be protected against illicit access.
The primary risks that HIPAA risk analysis are concerned with are breaches, or unauthorized and non-permitted uses and disclosures of PHI that compromise privacy, integrity, or availability.
Other tangential risks include potential barriers to full compliance with other Security Rule requirements, such as implementing and maintaining administrative, physical, and technical safeguards. Yet another consideration is whether your organization has the visibility and communication infrastructure in place to abide by the HIPAA Breach Notification Rule.
Minimizing Your Attack Surface
One of the most effective practices in any cybersecurity deployment is taking measures to reduce the scope of assets and systems that could be impacted by threats. With respect to HIPAA, that means minimizing the amount of identifiable PHI your organization retains, along with the potential pathways cybercriminals could use to access it without proper authorization.
For the former concern, organizations should follow the HHS’s guidance on de-identifying PHI:
- Covered entities may use the expert determination method, in which a qualified expert applies scientific principles to guarantee that the risk of identifying a patient is negligible.
- Covered entities may also utilize the Safe Harbor method, which requires removing:
- Names and numerical identifiers (i.e., licenses, Social Security, etc.)
- Addresses and geographical information smaller than state of residence
- Dates related to age, including the year for patients up to 90 years old
- Phone numbers and other numbers specific to devices, vehicles, etc.
- Virtual location information like email and IP addresses, URLs, etc.
- Photographs, likenesses, and biometric identifiers (i.e., iris scans)
For the latter concern, organizations should seek to minimize the amount of PHI they retain and the pathways to accessing the places it is stored. The Privacy Rule defines two specific cases of Required Disclosures, to the individuals (upon formal request) and to the HHS itself. Outside of these, even Permitted Uses and Disclosures (i.e., of limited data sets for law enforcement purposes or public health research, etc.) need to be limited to the minimum necessary.
A similar principle can be applied to all storage and processing of PHI. Keep the least of it that you can, in the fewest places, to make HIPAA assessments for risks as easy as possible.
Utilizing Available Resources
There are also several tools and solutions developed by the HHS and other governmental stakeholders that make the HIPAA security risk assessment requirements easier to meet.
For example, the HHS’s guidance on HIPAA risk analysis highlights:
- The Security Content Automation Protocol (SCAP) – Developed by the National Institute of Standards and Technology, SCAP empowers organizations to understand, implement, and assess the efficacy of their Security Rule protections, including but not limited to the risk assessment requirement, both dynamically and automatically.
- The Security Risk Assessment (SRA) Tool – Developed jointly by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS’s Office for Civil Rights (OCR), this platform is specifically designed for small-to-medium sized covered entities and business associates. It allows uniform tracking for vulnerabilities and responses to them within the tool itself, along with general compliance guidance.
The HHS also gestures toward other NIST resources, such as Special Publications (SPs):
- SP800-115, which specifies technical aspects of security assessments
- SP800-100, which details managerial considerations for risk assessments
- SP800-66, which touches on HIPAA Security Rule concerns specifically
- SP800-39, which addresses risks across broader information systems
These tools, though designed to facilitate compliance, can still be challenging to use without assistance from an advisor. Organizations conducting a HIPAA risk assessment, especially for the first time, should still consider working with a dedicated compliance expert to ensure that their processes satisfy or exceed the HHS’s expectations—with or without using these tools.
Streamlining Compliance Requirements
Finally, organizations should look for ways to cover their HIPAA compliance assessment obligations efficiently alongside other applicable regulatory requirements. One of the best approaches in this respect is implementing a comprehensive framework like HITRUST.
The HITRUST CSF is a massive cybersecurity and compliance framework that encompasses over 100 controls and thousands of granular specifications. The HITRUST Alliance was born out of and remains tied to the healthcare industry, as “HITRUST” initially meant “Health Information Trust Alliance,” and the CSF was initially developed specifically for healthcare organizations.
However, HITRUST now also includes controls that cover other industry- and location-specific compliance requirements. For example, its Control Categories account for the Payment Card Industry (PCI) Data Security Standards (DSS), several NIST SPs (i.e., SP 800-171, applicable to many government contractors), and the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC), including SOC 2 for service organizations.
Implementing the HITRUST CSF and completing HITRUST Certification can empower you to “assess once, report many”—minimizing overlap while maintaining compliance. An Essentials or Implemented Assessment covers one year, whereas a Risk-based Assessment can cover two.
Whatever your compliance needs are, HITRUST is one of the most efficient ways to meet them.
Rethink Your HIPAA Compliance
For organizations preparing for HIPAA compliance, especially for the first time, the Security Rule risk assessment requirements are some of the most nebulous and challenging to navigate. All covered entities and business associates need to take proactive measures to prevent risks to PHI, including monitoring for and addressing threats and vulnerabilities as soon as they arise.
Here at RSI Security, we’ve helped countless organizations satisfy this and all other mandates of HIPAA compliance. We know that discipline up-front unlocks greater freedom later, and we’re committed to helping organizations grow in and across healthcare while maintaining security.
To get started on your HIPAA security risk assessment prep, contact RSI Security today!