HIPAA Security Risk Assessment
As well as being a requirement of the Security Rule, an effective HIPAA security risk assessment can be the foundation upon which HIPAA covered entities and business associates build a resilient security framework. However, to be effective, a HIPAA security risk assessment needs to consider people and processes as well as technologies.
The HIPAA security risk assessment requirement – 45 CFR §164.308(a)(ii)(A) – states covered entities and business associates must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [ePHI] held by the covered entity or business associate.”
Isolated, the language of this implementation specification could mislead those unfamiliar with HIPAA to interpret the requirement as meaning a one-time check to identify system risks and vulnerabilities that could expose ePHI to unauthorized persons. However, when taken in context of the Security Rule as a whole, the scope of the requirement is much wider.
Of relevance are the implementation specifications relating to the maintenance of security measures (§164.306(e)), the requirement to review and update documentation periodically (§164.316(b)(2)), and the General Requirements of the Security Rule (§164.306(a)) which require covered entities and business associates to:
(1) Ensure the confidentiality, integrity, and availability of all ePHI the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part [the Privacy Rule].
(4) Ensure compliance with this subpart [the Security Rule] by its workforce.
The fourth of the General Requirements is significant because it can be interpreted to mean “ensure compliance by sanctions” – an interpretation that would be reinforced by the language of the sanctions implementation specification in §164.308(a)(2). However, a more effective way to ensure compliance by the workforce is to involve workforce members in the HIPAA security risk assessment to help determine which measures can support compliance with the other General Requirements.
The Scope of a HIPAA Security Risk Assessment
The scope of a HIPAA security risk assessment should go beyond the standards and implementation specifications of the Security Rule to take into account other state and industry regulations that govern the security of individually identifiable health information – for example, the Texas Medical Records Privacy Act and the NAIC’s Insurance Data Security Model Law.
Additionally, because of the varying sizes, complexities, and capabilities of covered entities and business associates, there is no one-size-fits-all HIPAA security risk assessment. However, HHS’ Office for Civil Rights has issued guidance on the objectives of a HIPAA security risk assessment that can help organizations decide what should be included in a risk assessment.
- Identify where ePHI is created, received, maintained, or transmitted.
- Identify and document potential threats and vulnerabilities.
- Assess existing security measures used to safeguard ePHI.
- Assess whether the current security measures are used properly.
- Determine the likelihood of a reasonably anticipated threat.
- Determine the potential impact of the threat.
- Assign risk levels for vulnerability and impact combinations.
- Identify risk responses and prioritize risk management processes.
- Document the assessment and provide awareness training where necessary.
- Review and update the assessment to reflect emerging threats and advancing security technologies.
There is a flow (or “process”) to the order in which the guidance is provided. It also allows covered entities and business associates to integrate additional elements of a HIPAA security risk assessment to meet the requirements of state and/or industry regulations. For example, when identifying where ePHI is maintained, a covered group health plan could ensure “Nonpublic Information” meets the classification requirements of MDL-668 Section 4.
What Makes a Risk Assessment Effective?
Several elements contribute to making a HIPAA security risk assessment effective. The first is to have total visibility of your organization’s hardware and software assets, including any “Shadow IT” assets. Thereafter, it is important to map data flows – including those to downstream business associates or upstream covered entities – in order to gain a holistic view of ePHI under the organization’s control.
The next stage is to test existing security measures via penetration testing and brute force password cracking. Workforce susceptibility to social engineering and phishing should also be tested to determine the likelihood of a reasonably anticipated threat and identify whether further training or technologies are required to prevent reasonably anticipated data breaches.
Once the likelihood of reasonably anticipated threats – and their impacts – has been determined, it is important potential solutions are discussed with end users before being implemented. This is because if a software solution is too complicated for end users to understand, the likelihood is that end users may try to circumnavigate the software solution “to get the job done”.
Similarly, if a risk response process is introduced that conflicts with a necessary operational process, the risk response may be ignored. Therefore, while there are “textbook” technology solutions for most types of reasonably anticipated threats, if you only rely on textbook solutions to address security gaps, it is likely your HIPAA security risk assessment will be ineffective.
Finally, when measures are implemented to remediate security gaps, it is important the HIPAA security risk assessment is reviewed again within a short period of time. It may be necessary to provide additional security training, finetune the procedures that have been introduced, or further update the risk assessment to comply with the General Requirements of the Security Rule list above.
HIPAA Security Risk Assessment Template
As mentioned above, there is no one-size-fits-all assessment suitable for all types of organizations. Consequently, we have compiled a HIPAA security risk assessment template that provides the basic information required to comply with the HIPAA Security Rule, but which also allows for customization to accommodate other regulations an organization may be subject to.
The template is based on a variety of sources including OCR, NIST, and the HITRUST Common Security Framework (CSF). We have attempted to make the template as easy as possible to follow; but, if you require further help with planning or executing a HIPAA security risk assessment, it is recommended you seek advice from a compliance professional.