HIPAA Risk Assessment: What is it and How Often Should You Have One?
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act contain two references to the necessity for Covered Entities and Business Associates to undertake a HIPAA risk assessment.
However, companies sometimes need to go above and beyond these requirements when conducting risk assessments.
A HIPAA risk assessment is initially required under the Security Rule (45 CFR 164.308 – Security Management Process).
In accordance with this requirement, Covered Entities and Business Partners must perform a “accurate and comprehensive evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
The Breach Notification Rule (45 CFR 164.402) contains the second obligation. This standard only applies when unsecured PHI (in any format) has been improperly acquired, accessed, used, or disclosed, and a HIPAA risk assessment is required to determine if the occurrence should be reported to HHS and the impacted person (s).
However, risks to the confidentiality, integrity, and availability of PHI exist when it is not in electronic format, such as when unauthorised verbal disclosures are made or when a printed medical report is left unattended in a public area.
These risks go beyond the HIPAA risk assessment requirements of the Security and Breach Notification Rules.
As a result, it could be essential to carry out a HIPAA privacy risk assessment that considers threats to non-electronic PHI’s confidentiality, integrity, and availability as well as people’s access rights to their PHI, Business Associate Agreements, and other HIPAA organisational requirements.
HIPAA Security Risk Assessment
The General Rules (CFR 45 164.306), which come before the Administrative, Physical, and Technical Safeguards of the Security Rule, describe the goal of a HIPAA security risk assessment. In order to:
Ensure that all electronic PHI that the covered entity or business associate develops, receives, maintains, or transmits is confidential, secure, and readily accessible.
Protect such information’s security and integrity against any threats or risks that could reasonably be anticipated.
Protect against any foreseeable uses or disclosures of such information not authorised or required by this part’s subpart E. (the Privacy Rule).
Ensure that all employees are adhering to this subpart’s (the Security Rule). This is accomplished through education and the use of a penalties policy.
The General Rules permit a “flexibility of approach” in how the standards are put into practise with relation to the Administrative, Physical, and Technical Safeguards of the Security Rule.
However, it is crucial that all standards be put into practise until they are replaced by an equivalent alternate measure if an implementation specification is not “reasonable and acceptable”.