HIPAA RISK ASSESSMENTS
In the 1970s, Protected Healthcare Information (PHI) was only accessible in a few places, and it really wasn’t worth stealing. By the 1990s, that changed with the advancement of technology and networks. Local and wide area networks, distributed servers, and smart workstations made data access more efficient, but also significantly increased the number of locations of PHI. The first cases of selling PHI increased its potential value and, thereby, the motivation to steal it.
The severity of fines for non-compliance with HIPAA has historically depended on the number of patients affected by a breach of protected health information (PHI), along with the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, because there is little excuse for not knowing that organizations have an obligation to protect PHI.
No. Any and every organization that creates, receives, maintains, or transmits PHI is required to conduct an accurate and thorough HIPAA Risk Assessment in order to comply with §164.308 of the HIPAA Security Rule. Even if your organization does not create, receive, maintain, or transmit PHI electronically (ePHI), a HIPAA Risk Assessment must still occur to comply with the requirements of the HIPAA Privacy Rule.
The U.S. Department of Health & Human Services (HHS) articulates an objective of a HIPAA risk assessment – to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all PHI that an organization creates, receives, maintains, or transmits.
To achieve these objectives, HHS suggest healthcare organizations should:
- Identify where PHI is stored, received, maintained or transmitted.
- Identify and document potential threats and vulnerabilities.
- Assess current security measures used to safeguard PHI.
- Assess whether the current security measures are used properly.
- Determine the likelihood of a “reasonably anticipated” threat.
- Determine the potential impact of a breach of PHI.
- Assign risk levels for vulnerability and impact combinations.
- Document the assessment and take action where necessary.
A HIPAA Risk Assessment is not a one-time exercise. Assessments should be reviewed periodically, as well as whenever new work practices are implemented or new technology is introduced.
A HIPAA Risk Assessment should reveal any areas of an organization’s security that need attention. Organizations then need to compile a risk management plan that addresses the weaknesses and vulnerabilities uncovered by such an assessment, as well as the implementation of new procedures and policies where necessary to close the vulnerabilities most likely to result in a breach of PHI.