BLOG: Health care regulatory 101: HIPAA security risk assessments
Click Here to Manage Email Alerts
Key takeaways:
- Ransomware, data exfiltration and data deletion are threats to medical practices.
- Security risk assessments are required under the HIPAA Security Rule.
Most medical practices subject to data security regulations of the HIPAA Security Rule have adopted administrative, physical and technical safeguards for electronic protected health information in accordance with the HIPAA Security Rule.
However, even the most sophisticated safeguards may prove vulnerable to future threats, including ransomware, data exfiltration and data deletion. To comply with the HIPAA Security Rule on an ongoing basis requires conducting periodic security risk assessments to test the effectiveness of existing safeguards. To help your practice satisfy its data security obligations under HIPAA, let’s go through some of the basics of a security risk assessment.
Image: Adobe Stock
What is a security risk assessment?
A security risk assessment (SRA) is required under the HIPAA Security Rule provision codified at 45 C.F.R. § 164.308(a)(1)(ii)(A). That provision states that “[a] covered entity or business associate must ... [c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” The HHS Office for Civil Rights (OCR) — the agency that promulgated the security rule and is responsible for enforcing it — has published written guidance to elaborate on this requirement. The guidance makes clear that there is no single “correct” way to conduct an SRA. But in the guidance, OCR outlines some of an SRA’s key components, including:
- identification of the electronic protected health information (e-PHI) within the organization;
- identification of external sources of e-PHI;
- identification of the human, natural and environmental threats to information systems that contain e-PHI;
- determination of the level of risk and the likelihood of threat occurrence;
- assessment of current security measures;
- documentation of each component of the risk analysis; and
- periodic review and updates to the risk assessment.
When should I conduct a security risk assessment?
An SRA should be conducted at least annually but more frequently if there are changes to your practice’s operations that might have an impact on the confidentiality, integrity and availability of e-PHI. For example, if your practice implements a new electronic health records system or begins offering telehealth services, an SRA may be appropriate to determine whether new or updated security measures may be needed.
How do I conduct a security risk assessment?
As noted, there is no one-size-fits-all method for conducting an SRA. To help organizations design their own SRAs based on common principles, OCR has developed a downloadable security risk assessment tool. The tool diagrams HIPAA Security Rule safeguards and provides a method to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks.
In addition, many vendors offer to assist with HIPAA security risk assessments. If you choose to use such a vendor, you may want to probe the vendor’s experience and understanding of the HIPAA Security Rule requirements. Some vendors may offer informal security analysis services that do not meet HIPAA’s requirements; a HIPAA-covered entity or business associate that relies on a vendor to conduct its SRA will not be let off the hook if the selected vendor doesn’t do a thorough job.
What should I do with the information from my assessment once it’s completed?
After you’ve completed and documented your SRA, your practice may have work to address vulnerabilities or compliance gaps identified during the SRA. As stated in the HIPAA Security Rule, regulated entities must “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” For any medium- or high-level risks that are uncovered from your SRA, your practice must find a way to address the underlying issue to reduce the risk. This step, too, should be carefully documented.
What happens if no security assessment is completed?
It is often said that an ounce of prevention is worth a pound of cure. In the case of an SRA, it may be worth several pounds. Not only could the failure to complete an SRA result in significant fines and scrutiny by OCR, but it could also prevent a practice from discovering the existence of security risks and therefore preventing or correcting breaches in a timely matter.
If you are pursuing a sale of your practice, the buyer will likely expect the practice to make representations in the purchase agreement that the practice complies with all applicable privacy laws and regulations, including the HIPAA Security Rule, and to disclose whether the practice has experienced any data security issues. If your practice does not meet appropriate standards, the buyer may expect you and other owners of the practice to financially bear the risks of any shortcomings, even after the sale is completed.
References:
- 45 CFR § 164.308 - Administrative safeguards. https://www.law.cornell.edu/cfr/text/45/164.308. Accessed May 26. 2023.
- Guidance on risk analysis requirements under the HIPAA Security Rule. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf. Published July 14, 2010. Accessed May 26, 2023.
- Security risk assessment tool. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool. Accessed May 26, 2023.
Collapse
Read more about
Click Here to Manage Email Alerts