The Ultimate Guide To Performing A HIPAA Risk Assessment


The Health Insurance Portability and Accountability Act (HIPAA), requires healthcare entities to implement procedures and policies to ensure and safeguard the security and privacy of the Protected Health Information (PHI) of patients.

Breach of data is nothing new. They’ve become considerably more common since the introduction of electronic medical records. A risk analysis is not only helpful in identifying dangers, but it is also required. In order to help preserve PHI, the HIPAA Security Rule requires Covered Entities and their Business Associates to complete an annual HIPAA risk assessment and adopt security measures with one such being a HIPAA Compliant Cloud Storage. In light of this, a security assessment is a critical tool for identifying risks and vulnerabilities to Protected Healthcare Information (PHI).

The effectiveness of HIPAA Compliant Cloud Storage is undeniable. HIPAA compliant storage must respond to specific requirements regarding patient records security. We can single out five reliable HIPAA vendors: AWS Cloud, Dropbox, Google Cloud, Microsoft OneDrive, Carbonite.

And one of the core HIPAA requirements is to perform regular risk assessments. This article provides in-depth detail on specific steps to perform a successful risk assessment that ensures solid compliance with HIPAA rules. Here are the steps to follow:

  1. Identify Scope of Analysis

Like any other assessment project, the first thing you need to do for a HIPAA audit and risk assessment is to define the scope.

A HIPAA risk analysis includes all PHI and electronic PHI (ePHI), regardless of its location or source and the electronic media used to create, maintain, transmit or receive it.

The assessment should also cover all reasonable vulnerabilities and risks to the integrity, availability, and confidentiality of that information.

  1. Gather Relevant Data

This step requires you to gather and review all documentation for projects in the past and present. In this case, you need to define the following:

  • What PHI your organization has access to
  • How is it collected and managed?
  • Where is it stored?
  • Who has access to it?
  • How is it accessed?
  • How is it transmitted?

If you’re HIPAA compliant, you should have already finished this step. For subsequent risk assessments, you can use the data gathered in this step as your starting point.

  1. Assess Current Security Measures

Next, you need to assess your existing security measures. You can start by documenting all security measures you currently have in place to protect PHIs. It should include both non-technical and technical controls.

  • Technical controls include software and hardware functions such as authentication, access control, encryption, auditing, automatic log-off.
  • Non-technical controls include management and operational functions such as procedures, policies, and environment or physical security measures.

Analyze the use and configuration of each security measure in order to determine its effectiveness and appropriateness in meeting the requirements under the HIPAA rules.

  1. Define And Identify Vulnerabilities And Threats

With all the information you’ve gathered from the previous steps, you should be able to identify if there are any threats or vulnerabilities in your security system.

In addition, you should also have knowledge of potential threats to the integrity and security of the PHI maintained by your organization. Some of the common vulnerabilities and threats include:

  • Deliberate Technical: Ransomware, computer theft, insider threat, phishing, trojan, and keyloggers.
  • Unintentional Technical: Stolen computer, unintended email transfer of sensitive data, and lost USB storage device containing sensitive data
  • Technical Failure: Weak passwords, lack of encryption, unpatched systems, lack of file permission, lack of malware protection, and improper disposal of media.
  • Physical Security: building alarms, access badges, security cameras, security guards, and building access controls
  • Disaster Events: hurricanes, floods, earthquakes, tornados, and typhoons
  1. Determine Risk Probability And Risk Levels

After defining and identifying possible healthcare privacy threats against your security measures, you want to determine the probability of the threat occurring.

To arrive at a risk score, you can attach numeric values ranging from 5 for “very likely to occur” to 0 for “not likely to occur”. Similarly, you can determine the impact of each vulnerability and threat to your organization and attach numerical values ranging from 5 for “ very high impact” to 0 for “no impact”.

And then, for each vulnerability or threat, you can assess their corresponding likelihood and impact scores to get the risk score.

Based on your risk score, you can assign the appropriate risk levels to the vulnerabilities and threats. This allows you to create a risk-level matrix and an effective risk classification system.

  1. Develop Control Recommendations

Once the risk levels are assigned to specific vulnerabilities and threats, you can now identify suitable security measures and create a list of corrective actions. These actions can help in mitigating the risks or reducing them to a reasonable level to remain compliant with HIPAA rules.

For each security measure, you need to consider the following:

  • Internal policy requirements
  • The effectiveness of the action
  • Regulatory requirements for its implementation
  1. Proper Documentation

The last step in your HIPAA risk assessment is ensuring proper documentation. You need to document and record all your findings, clearly outlining what PHI you work with, the vulnerabilities and threats you found despite your existing security measures, and the solutions you’ll use to mitigate the identified threats and vulnerabilities to the integrity and security of PHI.

Take note that documentation is a mandatory requirement and critical for HIPAA compliance audits. On top of that, your assessment documentation can also serve as an insight into your progress and preparedness with respect to your organization’s data security and proper management of patients’ data.

Take Away

A risk assessment is a critical step towards safeguarding your patient’s PHI and remaining compliant with the HIPAA rules. Failure to do so can open your organization to staggeringly huge penalties.

So, make sure to follow the above steps in order to demonstrate your organization’s commitment to protecting and managing your patient’s data and overall business reputation.