Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can HIPAA security risk analysis help with compliance?

HHS recommends security risk analysis as an early step to become HIPAA compliant, so how should organizations put this tip into practice?

A HIPAA violation case ruling from HHS proves yet again that following compliance requirements isn't enough to...

keep an organization secure. One of the HHS's recommendations is to conduct risk assessments before implementing a HIPAA security policy. How should organizations go about taking this extra step and how should they use the results in obtaining compliance?

In the case of Anchorage Community Mental Health Services, ACMHS agreed to a settlement with HHS regarding an alleged HIPPA violation. The fine and settlement are based on the breach of electronic protected health information (ePHI) belonging to 2,743 individuals. HHS alleged that the breach resulted from a malware infection at ACMHS. ACHMS cooperated with the investigation and agreed to pay a $150,000 fine and adopt corrective measures to prevent another breach.

In their announcement of the breach settlement, HHS stated that "the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software." HHS pointed out the lack of sound risk assessment practices at ACMHS. One correction, however, is that performing a security risk analysis is not a "recommendation" from HHS but is, in fact, a mandatory component of HIPAA Security Rule implementation.

How should a covered entity perform a risk assessment? Fortunately, we don't have to guess -- HHS issued a document entitled Guidance on Risk Analysis Requirements Under the HIPAA Security Rule in 2010. In this guidance, HHS recommends following an industry standard process, such as the one outlined in NIST SP 800-66. HIPAA does not prescribe a precise process, but states organizations must "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information."

While HHS allows covered entities leeway in the risk assessment process they follow, they do have some requirements. First, the scope must include all ePHI created, received, maintained or transmitted by the organization. The organization must identify all uses of ePHI and then identify and document the potential threats and vulnerabilities to that ePHI. They must then assess current security measures and evaluate them against the threats by examining the likelihood that a threat will occur and the potential impact of it. This information is then used to prepare a final risk assessment report which must be reviewed and updated on a periodic basis.

Remember that simply performing a security risk analysis is not enough -- you must design the security program around the results. If you find unmitigated risks, design and implement security controls that provide an adequate level of protection for the organization's ePHI.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Get further information on the rules for HIPAA security risk analysis

This was last published in May 2015

Dig Deeper on HIPAA

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

According the article, it's actually a necessity, not just a recommendation. At my organization, I was not involved in the initial risk assessment, but my team was required to document each one of the applications that we are responsible for, and how each of them interact with PHI, if at all. 

It was no simple task as we support over 160 applications, some of which we inherited from other groups and know little about. In some of the systems, we had to make changes to how information including PHI was stored or communicated (e.g., in error logs or emails). HIPAA is a such a pain, in my opinion! Both from a consumer and from an administration perspective. 
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close