How to Conduct a HIPAA Risk Assessment and the Surprising Danger of Not Doing One

HIPAA risk assessments help in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronically protected health information.

A risk analysis is a requirement in federal law. Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications of HIPAA. Your healthcare organization should determine the most appropriate way to achieve HIPAA compliance, taking into account the characteristics of the organization and its environment.

Protected health information is subject to HIPAA confidentiality for entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of the information. Risk analysis and assessment is the first step in that process.

Risk analysis requirements under HIPAA require healthcare organizations to implement policies and procedures to prevent, detect, contain, and correct security violations.

Your agency must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information.

In addition to an express requirement to conduct a risk analysis, the HIPAA law indicates risk analysis is a necessary tool for reaching substantial compliance with many other standards and implementation specifications.

The outcome of the risk assessment process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate.

Elements of a risk analysis include numerous methods of performing risk assessment with no single best practice that guarantees HIPAA compliance. The scope of risk analysis that the HIPAA law encompasses includes the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all confidential information an organization creates, receives, maintains, or transmits.

Healthcare organizations must identify and document reasonably anticipated threats unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities that, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of this protected health information.

Healthcare organizations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and the resulting impact of threat occurrence. The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.

Finalize documentation as a direct input to the risk management process and conduct periodic reviews and updates to the risk assessment, which should be ongoing. A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, reducing the effort required to address risks identified after implementation. Performing the risk analysis and adjusting risk management processes to address risks in a timely manner will allow the covered entity to reduce the associated risks to reasonable and appropriate levels.

In conclusion, risk assessment is the first step in an organization’s HIPAA compliance efforts. It is an ongoing process that should provide the healthcare organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of this protected health information.

• Risk assessment under the HIPAA laws
• Vulnerability, threat, and risk analysis
• Scope of risk assessment
• Identifying potential threats and vulnerabilities
• Assessing security measures in place
• Determining threat occurrence, likelihood, and impact
• Finalize documentation of the risk assessment
• Regular review and updates to risk assessment for new employees, new laws, and new technology
• The surprising danger of not doing a HIPAA risk assessment

The background for this topic is an introduction to HIPAA compliance which requires a HIPAA risk assessment. HIPAA compliance officers must conduct risk assessments.

HIPAA risk assessments are required by the HIPAA laws themselves. But what do you do when you find breaches and security lapses as a result?

Erase the fear, uncertainty, and doubt about tackling the requirements of HIPAA risk assessments and learn how to do them.

Discover what you need to know about how to conduct a HIPAA risk assessment – and deal with its results effectively.

Healthcare law attorneys; licensed healthcare practitioners in private practice in mental health and in physical medicine; medical directors of health facilities; office managers and medical directors of private medical offices; healthcare managers and executives; corporate counsel in health care; healthcare administrators; university faculty in health care and medical records; allied health professionals in graduate-level medical education across the many health care professions; corporate compliance officers; human resource directors and departments.