The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards. These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. Performing a security risk analysis is the first step in identifying and implementing these safeguards. A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This article focuses on what must be done after an organization has completed the six steps of a security risk analysis.
What are the Steps of the Security Risk Analysis?
The security risk analysis includes six steps:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk to ePHI
The end result of the six-step process is a written documentation of risk levels for all combinations of threats and vulnerabilities.
Once security risk analysis is complete, an entity must, under the Security Rule, perform risk management. Risk management includes the implementation of security measures to reduce risk to reasonable and appropriate levels to, among other things, ensure the confidentiality, availability, and integrity of ePHI.
There is one step between the point at which the six steps of the security risk analysis have been completed, and the point at which risk management may begin.
This step – the last part of the security risk analysis – requires two things:
- Identifying Security Measures
- Finalizing Documentation
How Do I Decide What Security Measures to Implement?
Once risk is identified and assigned a risk level, entities should commence with identifying actions required to manage the risk. To “manage” the risk means to reduce the risk to a reasonable and appropriate level.
When identifying security measures that can be used, it is important to consider factors such as:
- The effectiveness of the security measure
- Any legislative or regulatory requirements that require certain security measures to be implemented
- Any requirements imposed by the organization’s policies and procedures
How Do I Finalize Documentation?
Any identified potential security measures that can be used to reduce risks to ePHI, should be included in documentation. The entire risk analysis (including identification of security measures) should be documented.
The Security Rule requires the risk analysis to be documented, but does not require that the documentation be in a specific format. One common method of finalizing documentation is to create a finalized risk analysis report that documents the security risk analysis process, the output of each step, and initial identification of security measures. The risk analysis documentation is a direct input to the risk management process.
