How can HIPAA security risk analysis help with compliance?

A HIPAA violation case ruling from HHS proves yet again that following compliance requirements isn't enough to keep an organization secure. One of the HHS's recommendations is to conduct risk assessments before implementing a HIPAA security policy. How should organizations go about taking this extra step and how should they use the results in obtaining compliance?

In the case of Anchorage Community Mental Health Services, ACMHS agreed to a settlement with HHS regarding an alleged HIPPA violation. The fine and settlement are based on the breach of electronic protected health information (ePHI) belonging to 2,743 individuals. HHS alleged that the breach resulted from a malware infection at ACMHS. ACHMS cooperated with the investigation and agreed to pay a $150,000 fine and adopt corrective measures to prevent another breach.

In their announcement of the breach settlement, HHS stated that "the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software." HHS pointed out the lack of sound risk assessment practices at ACMHS. One correction, however, is that performing a security risk analysis is not a "recommendation" from HHS but is, in fact, a mandatory component of HIPAA Security Rule implementation.

How should a covered entity perform a risk assessment? Fortunately, we don't have to guess -- HHS issued a document entitled Guidance on Risk Analysis Requirements Under the HIPAA Security Rule in 2010. In this guidance, HHS recommends following an industry standard process, such as the one outlined in NIST SP 800-66. HIPAA does not prescribe a precise process, but states organizations must "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information."

While HHS allows covered entities leeway in the risk assessment process they follow, they do have some requirements. First, the scope must include all ePHI created, received, maintained or transmitted by the organization. The organization must identify all uses of ePHI and then identify and document the potential threats and vulnerabilities to that ePHI. They must then assess current security measures and evaluate them against the threats by examining the likelihood that a threat will occur and the potential impact of it. This information is then used to prepare a final risk assessment report which must be reviewed and updated on a periodic basis.

Remember that simply performing a security risk analysis is not enough -- you must design the security program around the results. If you find unmitigated risks, design and implement security controls that provide an adequate level of protection for the organization's ePHI.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)