When is the last time your organization conducted a risk analysis? For most organizations, the answer is far too long ago. It may seem complicated to do a risk analysis, but it is one of the key factors for maintaining HIPAA compliance. Not sure where to start? This post will give you a crash course on risk analysis. Surprisingly, this is a common point of failure for many organizations during a HIPAA audit. Ready to learn how to create your own risk analysis and what to include? Keep reading to learn what you're expected to know in the event of an audit.
What is risk analysis?
Before we jump into how to conduct a risk analysis, let's look at what this term actually means. According to the HIPAA security rule, risk analysis is defined as “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” The terms risk analysis and risk assessment are often interchanged, but they actually have two different meanings. Next, we'll take a closer look and risk analysis and risk assessment.
Risk analysis VS Risk assessment
First, let's talk about risk analysis. Risk analysis the first step you take to set up and maintain security policies. In contrast, a risk assessment will help you determine if a PHI breach falls within guidelines to be reported. These two things go hand in hand, but the confusion that comes with what they mean individually is what sets many organizations up to fail. The good news is, now that you know the difference you can move ahead with the knowledge that will help you be HIPAA compliant.
Why is risk analysis a common point of failure?
Here's a scary fact: one of the most common HIPAA violations is not performing a risk analysis or risk assessment. The question is, why are so many providers not completing these activities even though they're a critical part of maintaining HIPAA compliance? Often, this comes down to confusion. There's not a lot of education on what risk analysis is, what it should include and how it is a critical part of compliance. In the next few sections, we'll dig into the risk analysis guidelines and how your organization can create the right documentation.
What does a risk analysis need to include?
This is where things start to get a little bit complex. The US Department of Health & Human Services (HHS) doesn't provide specific recommendations for what a risk analysis should include. The truth is that because organizations differ in both size and complexity. However, there is an objective that you should keep in mind when you're conducting a HIPAA risk analysis. You should aim to identify risks and vulnerabilities to the confidentiality, availability, and integrity of all protected health information (PHI) that your organization creates or transmits. So, how can your organization properly conduct a risk analysis? The HHS does provide some points to consider:
- Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
- What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
- What are the human, natural, and environmental threats to information systems that contain e-PHI?
The most important thing to remember is that your organization needs to create a process for risk assessments. These assessments are not something that you complete one time and walk away from. You should conduct new assessments on a basis that makes sense for your organization, especially when your organization changes or you introduce new technologies.
Elements of a risk analysis
While there isn't guidance on the exact documentation that should be included in risk analysis, the HHS does provide a list of elements that your analysis should include. Here's a look at each one:
The scope of risk analysis includes the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all e-PHI that an organization transmits or creates. This includes PHI in all forms of media such as hard drives, portable electronic media and each workstation in your organization.
An organization should identify how e-PHI is stored and transmitted and document these findings.
Identify Threats and Vulnerabilities
Organizations should identify and document potential threats to e-PHI. Here, it's important to consider the circumstances that are unique to your organization and environment.
Document Current Security Measures
Now, you should assess and document the security measures your organization takes to
safeguard e-PHI and whether they are used properly.
Document Likelihood of Threat Occurrence
Your entity should document the probability risks to e-PHI. After completing this step, you should have documentation of all possible threat and vulnerability combinations.
Determine the Impact of Threat Occurrence
Next, you measure and assess the magnitude of the impact resulting from each specific vulnerability
Determine the Level of Risk
Lastly, organizations should assign risk levels to the threats and vulnerabilities identified during the risk analysis. The resulting documentation should help you prioritize what risks to address first and the accompanying actions
What should happen after your organization conducts a risk analysis?
Risk mitigation is the next step in this process. In our next post for the HIPAA audit content series, we'll discuss how to take action based on what you discover. You'll learn how to form a plan and start addressing vulnerabilities you may uncover.
The bottom line here is that risk analysis is something your organization should do on a regular basis and document it well. What that documentation will look like will vary from entity to entity, but these guidelines are a great starting point for determining what your organization should include. Understanding this process is key to maintaining HIPAA compliance and passing a potential audit. Want to stay up to date on our HIPAA audit content series? You can check out all our content, including new parts of the series by visiting our blog.