HIPAA Security Risk Analysis Element 1: Collecting Data
The HIPAA Security Rule requires that covered entities (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a HIPAA-related transaction), and business associates (read more about business associates here), implement security safeguards. These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. Performing a security risk analysis is the first step in identifying and implementing these safeguards. A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The scope of a security risk analysis should be identified preparatory to performing the analysis itself. Once the scope has been identified, you can proceed with the first step of a security risk analysis, which consists of collecting data.
How Do I Identify the Scope of a Security Risk Analysis?
The risk analysis scope that the Security Rule requires is the potential risks and vulnerabilities to the confidentiality, availability and integrity of all ePHI that a covered entity:
- Maintains, or
This includes ePHI in all forms of electronic media. Electronic media includes hard drives, and removable/transportable digital memory media (i.e., magnetic tape or disk, optical disk, or digital memory card).
Electronic media also includes transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. For a transmission to be considered a transmission through electronic media, the information must exist in electronic form before it is transmitted.
The security risk analysis includes six elements:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
Once you have identified the scope of the analysis, you can proceed with the first step, which is collecting data.
Security Risk Analysis Element 1: Collecting Data
This step consists of the gathering of relevant data on and about ePHI. Gathering of relevant ePHI data is accomplished by conducting, in effect, an ePHI inventory. As part of the inventorying, covered entities must identify where the ePHI is stored, received, maintained or transmitted.
ePHI can be stored in a variety of places, received through several kinds of electronic transmission, maintained in several formats, and transmitted through more than one transmission method. To perform a complete inventory, therefore, relevant data should be gathered through a variety of sources and means. These include:
- Reviewing past and/or existing projects. Such review allows you to determine where ePHI is stored, how you come into possession of it, and how it is transmitted. Reviewing project notes and project documentation will shed light on how ePHI enters, stays in, is upkept, and is transmitted through your organization.
- Performing interviews. Interviewing staff members as to what ePHI they access, receive, maintain, store, or transmit, yields a more thorough inventory than does reviewing past or existing projects alone. While the Security Rule does not dictate how interviews are to be conducted, there are several effective known methods. One of these is to first send out information questionnaires to staff. The questionnaires should be written as clearly as possible so employees will know what information is being sought of them. Staff should be given adequate time to respond. Once responses are received and reviewed, follow-up interviews can be conducted in person, to fill in any gaps or incomplete responses.
- Contacting your hosting provider. If you are hosting health information at a HIPAA compliant data center, you’ll need to contact your hosting provider to document where and how your data is stored.
- Reminder: If your practice stores ePHI, any data patient information or that hosts your data must also be HIPAA-compliant.
Additional Factors to Consider When Performing Security Risk Analysis Step 1
Thoroughly inventorying ePHI is invaluable for the rest of the risk analysis process. The time and resources that must be expended on the inventory will necessarily depend upon the environment of the covered entity, and how much ePHI the entity may hold.
For example, a small provider that keeps medical records on paper may be able to identify all ePHI within the organization simply by analyzing a single department that uses an information system to perform billing functions. In contrast, identification of all ePHI of an entity – say, a hospital network – that has large amounts of ePHI, may require inventorying of multiple physical locations, most (if not all) departments, multiple information systems, portable electronic media, and exchanges between business associates and vendors.
Compliancy Group Simplifies HIPAA Compliance
Covered entities and business associates can address their security risk analysis by working with Compliancy Group to address federal HIPAA security standards. Completing a security risk analysis is required to become HIPAA-compliant.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain their HIPAA compliance!