The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards. These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. Performing a security risk analysis is the first step in identifying and implementing these safeguards. A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This article focuses on the third step of the security risk analysis, which consists of assessing current security measures.
What are the Elements of a Security Risk Analysis?
The security risk analysis includes six elements:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
Once steps 1 and 2 of the security risk analysis have been completed, step 3, “Assessing Current Security Measures,” can be addressed.
How Do I Assess Current Security Measures?
The reason underlying step 3 of the security risk analysis – of assessing current security measures – is to determine whether the assessed security measures are actually effective.
If existing measures to minimize or eliminate risks to ePHI are effective, vulnerabilities are not likely to be triggered or exploited by a threat.
If, however, those measures are ineffective in one or more ways, vulnerabilities are more likely to be triggered by a threat – the confidentiality, availability and integrity of ePHI is at risk of being compromised.
Effective security measures can be both technical and nontechnical.
Technical measures are part of information systems hardware and software. Examples of technical measures include:
- Access controls
- Identification and authentication measures
- Encryption methods
- Automatic logoff
- Audit controls
Non-technical measures include management and operational controls, such as:
- Accountability and responsibility
- Physical and environmental security measures
What constitutes effective security measures implemented to reduce risk, will vary among organizations.
For example, small covered entities tend to have more control within their environment. These organizations tend to have fewer variables (i.e. fewer workforce members and information systems) to consider when making decisions regarding how to safeguard ePHI. Therefore, the appropriate security measures that reduce the likelihood of risk to the confidentiality, availability, and integrity of ePHI in a small covered entity, may differ from those that are appropriate in large covered entities.
The output of step 3 should be thorough documentation of the security measures an organization uses to safeguard ePHI. The output should identify:
- Whether security measures required by the Security Rule are already in place
- Whether those security measures are configured and used properly
Compliancy Group Simplifies HIPAA Compliance
Covered entities and business associates can address their security risk analysis by working with Compliancy Group to address federal HIPAA security standards. Completing a security risk analysis is required to become HIPAA compliant.
Our ongoing support and web-based compliance app, the Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!
Need Help with HIPAA?
Let our complete HIPAA solution handle it.