HIPAA Security Risk Assessment
Protecting electronic protected health information (e-PHI) from data breach, theft, and misuse has never been more essential.
The Administrative Safeguards of the HIPAA Security Rule require covered entities and their business associates to conduct a periodic risk analysis as part of their security management program. Specifically, Section 164.308 (ii) (A) reads as follows:
Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
While no specific timeframes are mandated, the intent of the requirement is that risk analysis should be an ongoing process in which the covered entity or business associate periodically evaluates the effectiveness of existing security measures and regularly reviews potential risks to e-PHI. It has become generally accepted practice to perform HIPAA security risk assessments on an annual basis.
Our process.
When conducting a HIPAA security risk assessment, Agio performs an initial “gap analysis” between our client’s current state and the requirements in the HIPAA Security Rule. This process includes an evaluation of all controls including policies, procedures, and technical safeguards.
Our comprehensive HIPAA security risk assessment also identifies existing vulnerabilities in the IT infrastructure, including physical access levels by personnel and third-party vendors. Potential threats to the confidentiality and integrity of e-PHI, as well as to the access and availability of systems, applications, devices, and databases will be enumerated and evaluated. While not explicitly required, we believe a comprehensive penetration test should be conducted to identify risks and effectively validate controls.
The risk analysis includes:
Evaluation
We evaluate the likelihood and impact of potential risks to e-PHI.
Recommendations
We recommend appropriate security measures to address the risks identified.
Corrective Action Plan
We document the recommended security measures and the rationale for adopting those measures.
Security Protections
We determine the reasonable and appropriate security protections that need to be implemented, continuously maintained, and regularly reviewed.
