6 Simple Steps to Conduct a HIPAA Risk Assessment

Healthcare providers and insurers may sigh in relief at the Department of Health and Human Services’ Office for Civil Rights’ delays in HIPAA audits, but recent data breaches and cybersecurity attacks suggest that they should not wait in performing HIPAA security risk assessments and reevaluating security reinforcements.

HIPAA establishes the standard for protecting sensitive patient data, and its flexible design enables healthcare entities to establish their own policies and procedures that work best for their own operations and the protection of their facilities’ private health information (PHI). Without completing a HIPAA risk assessment and understanding your organization’s vulnerabilities, however, it’s nearly impossible to properly create and implement HIPAA policies and procedures, much less safeguard private and personal patient information.

What steps should healthcare organizations take to undergo a HIPAA risk assessment and prepare for an audit?

1. Review the HIPAA Privacy, Security and Breach Notification Rules carefully. A lot has been published on HIPAA, leading to some confusion and misunderstanding, and it’s important to go back to the original source to ensure you understand the rules for yourself.
2. Analyze your organization’s current practices, technologies and tools — and the risks they present. Identify:
   • What systems access and store data
   • What personal devices (including cell phones, laptops and tablets) have access to data
   • What type of data is stored in each system or application
   • When and by whom data is accessed
   • What types and levels of security each type of data needs
   • Potential threats, both internal and external (human, natural, environmental and technological)
   • Likelihood of occurrence and severity of each type of risk
   • What types of protections are in place and how often they’re reviewed
   • Looking for more guidance on preparing for your HIPAA audit by building a stronger healthcare compliance program? Download our FREE eBook: 7 Elements of an Effective Healthcare Compliance Program.
   
   
3. Compare your organization’s processes to the three categories of HIPAA safeguards, as defined in the Security Rule:
   • Administrative safeguards — Designate staff to create and implement HIPAA policies and procedures. Then, ensure employees are properly trained on and acknowledge that they understand the policies and procedures. Use employee training software and/or a policy management system to ensure employees are properly trained in HIPAA compliance.
   • Physical safeguards – Determine how your organization will protect PHI that is stored on flash drives, external hard drives, tablets, laptops, desktops, servers and paper.
   • Technical safeguards – Consult with your IT team on how to control permission levels, user authentication and transmission security, as well as prevent data corruption and hacking.
4. Use the OCR website’s security risk assessment (SRA) tool, which offers 156 “yes” or “no” questions about your policies and procedures.
5. Look at compliance best practices, guidance and other articles from federal oversight agencies, healthcare associations and other industry leaders. Learn from their mistakes, challenges and successes. Read about other organizations’ audit experiences.
6. Share what you learn about the HIPAA Security and Privacy rules with your staff. It’s important that your staff knows what threats exist, how detrimental those threats can be and how they can do their part in preventing threats from coming to fruition.

Most importantly, recognize that risk analysis should be an ongoing process. As technology and healthcare regulations evolve, so do potential security risks and non-compliance issues, so it’s critical to continually evaluate and update your organization’s processes and protections to lessen the threats of security breaches and non-compliance.