A HIPAA risk assessment is crucial for healthcare organizations as it enables them to identify and address security vulnerabilities, thereby ensuring compliance with regulations, safeguarding patient data, and reducing the potential for legal and financial repercussions. Although the requirement to conduct a HIPAA risk assessment appears in the Administrative Safeguards of the Security Rule, it is important covered entities and business associates do not neglect to assess threats to non-electronic PHI protected by the Privacy Rule or other areas of the Administrative Simplification Requirements that could have an operational or financial impact.
Because of where the requirement appears in the Administrative Simplification Regulations, many resources providing HIPAA risk assessment advice tend to focus on assessing compliance with the Security Rule. However, the General Requirements of the Security Rule state covered entities and business associates must:
“Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.”
In the above requirement, “such information” refers to electronic PHI, and “subpart E of this part” refers to the Privacy Rule. Therefore, in order to comply with this requirement, covered entities and business associates (where necessary) should consider events in which PHI may originate in electronic form, but then be disclosed verbally or via a printout.
Such events could violate the Privacy Rule if they constitute (for example) an impermissible disclosure of PHI or a disclosure of more than the minimum necessary PHI. Consequently, an “accurate and thorough” HIPAA risk assessment (as required by 45 CFR §164.308(a)(ii)(A)) should focus on more than just Security Rule compliance.
The Issues with HIPAA Risk Assessments
The primary issue with HIPAA risk assessments is that covered entities and business associates vary in size, complexity, and capabilities. Additionally, most covered entities and business associates are subject to other federal, state, or industry regulations in addition to HIPAA. Therefore, there is no one-size-fits-all HIPAA risk assessment recommended by HHS’ Office for Civil Rights.
Each covered entity or business associate is consequently required to develop its own HIPAA risk assessment and amend it as necessary to reflect operational changes, amendments to – or new – federal, state, and industry regulations, and evolving threats to the privacy of PHI and the confidentiality, integrity, and availability of electronic PHI.
There is also an issue with what risks an organization is trying to assess. In addition to complying with the Security Rule and protecting against any reasonably anticipated impermissible uses and disclosures of PHI, organizations may also need to assess their compliance with other elements of HIPAA to avoid sanctions for violations that do not result in a data breach.
These include, but are not limited to, the failure to use the correct transaction codes in billing operations, the failure to respond to a patient access requests, or the failure to notify an individual of an impermissible disclosure. All of these events can prompt complaints to HHS, time-consuming compliance investigations, disruptive corrective action plans, and – potentially – civil penalties.
How to Compile a Thorough HIPAA Risk Assessment
The first stage of compiling a thorough HIPAA risk assessment is determining what should be assessed. If your organization is confident it complies with the General Requirements, the Part 162 Regulations, and all applicable standards in the Privacy and Breach Notification Rules, it may not be worth reviewing existing policies and procedures as part of a HIPAA risk assessment.
However, if your organization has concerns that (for example) treatment authorizations are taking longer to be approved, the HIPAA Privacy Officer is overworked, or that HHS’ Office for Civil Rights has been in touch requesting documentation to respond to a complaint, you should include these elements in a HIPAA risk assessment as they may be indicators of more serious vulnerabilities.
Thereafter, it is important to remember the three key elements of a risk management program are people, processes, and technology. This means that if you have technology for (say) assigning unique user IDs to each member of the workforce, you also have to determine whether IDs are being disclosed or shared by users , and – if so – what the process should be for reporting disclosures and preventing ID sharing.
As mentioned previously, there is no one-size-fits-all HIPAA risk assessment. However, we have prepared a risk assessment tip sheet designed to provide ideas on the nature of content you may wish to include in your organization’s HIPAA risk assessment. You are invited to download the tip sheet and use it to help develop your own HIPAA risk assessment or help fill gaps in an existing assessment.
Please note, our risk assessment tip sheet does not cover every possible risk or vulnerability covered entities or business associates may encounter, and includes some that will not be applicable to all covered entities or business associates. If you are unsure about any of the content included in our tip sheet or how to compile a thorough HIPAA risk assessment, you should seek professional compliance advice.