Risk analysis is an ongoing process that should provide an organization with a detailed understanding of its risks and information necessary to address those risks in a timely manner, and the means to reduce associated risks to reasonable and appropriate levels.
Any health care practitioner who collects, manages, and stores patient information faces the risk that his or her data may be lost, misused, or accessed by or disclosed to unauthorized individuals. While technology (eg, encryption) may provide some level of protection, it is only one component of an effective security program.
The Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules apply to all covered entities, regardless of size, and require the implementation of administrative, technical, and physical safeguards. The first step, and required under the Security Rule–Administrative Safeguards, is to perform a risk analysis. The HIPAA risk analysis requirement specifically states:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization.
Although the Security Rule applies only to electronic health information, the Privacy Rule requires safeguarding any type or medium of protected health information (PHI). Steps to perform a risk analysis are:
1. Identify the information that your practice collects, manages, and shares. How can you protect something when you don’t know what you have to protect? Many health care organizations perform some type of security assessment and develop privacy and security policies, but many don’t take the crucial first step and actually perform an inventory of their organization’s personal information and understand the internal and external flow of that information.
2. Identify third-party risks. What are the external sources of PHI? Do you work with vendors or consultants who create, receive, maintain, or share the personal information of your patients? Have you implemented third-party agreements requiring information safeguards and HIPAA compliance?
3. Identify and document potential threats and vulnerabilities. How do employees access personal information? How do you restrict unauthorized access to information? Have your employees been trained to access and protect PHI appropriately? Do you currently encrypt the information that you store or transmit?
4. Assess security measures, policies, and procedures. Do you have the appropriate policies and procedures in place to reduce risks and vulnerabilities? Have you assigned security responsibility? Do you have policies and procedures in place regarding access and storage of PHI? Do you share information with third parties and have agreements in place that require them to safeguard your information?
5. Determine the level of risk and potential impact of threats. A smaller organization (eg, a solo practice) may have more control. However, such organizations are still required to determine their level of risk and the impact of all threats and vulnerabilities that may affect the “confidentiality, integrity, and availability of electronic protected health information held by the organization.”
HIPAA security compliance requirements provide some flexibility, which is based on an organization’s size and complexity. However, performing a risk analysis and documenting risks and steps taken to mitigate those risks is a requirement of the Security Rule. Finally, risk analysis is not a one-time exercise. Rather, it is an ongoing process that should provide an organization with a detailed understanding of its risks and information necessary to address those risks in a timely manner, and the means to reduce associated risks to reasonable and appropriate levels.