The HIPAA Security Rule requires covered entities and business associates to perform a security risk assessment (also known as a Security Risk Analysis).
Performing a security risk analysis is the first step in identifying and implementing these safeguards. Performing this assessment is also required to have a HIPAA compliant laptop. A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
What are the Elements of a Security Risk Analysis?
The security risk analysis includes six elements:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk to ePHI
What is the Relationship Between the Security Risk Assessment and HIPAA Compliant Laptops?
A risk assessment encompasses a company’s entire IT infrastructure; company policies; administrative processes; physical security controls, and all systems, devices, and equipment that are capable of storing, transmitting or touching ePHI.
These devices include laptops. To have secure HIPAA compliant laptops, organizations must conduct a risk assessment, which will provide companies with vital information as to how laptop security measures can be improved or implemented.
What Safeguards Must be Implemented to have HIPAA Compliant Laptops?
In order for covered entities to have HIPAA compliant laptops, covered entities must:
- Consider the use of encryption for transmitting ePHI, particularly over the Internet
- If a risk assessment has determined that lack of encryption presents a risk, encryption should be implemented
- A covered entity violates HIPAA if it allows transmission of ePHI over an open network, such as via SMS messages
- Encrypt data in motion, if it has been determined that ePHI transmission, if not encrypted, would be at significant risk of being accessed by unauthorized entities
- Implement access controls to ensure users are authenticated
- Organizations should implement multi-layered security controls to reduce the risk of unauthorized data access
- Put protections in place to ensure data cannot be altered or destroyed
- Put controls in place to allow devices to be audited
- Organizations must have the capability to examine access (and attempted access) to ePHI, and any other activity performed on the device that has the potential to affect data security