The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.
Performing a security risk analysis is the first step in identifying and implementing these safeguards. A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Once the analysis has been completed, organizations should periodically conduct a risk analysis review.
What is the Scope of a Security Risk Analysis?
According to guidance issued by the Department of Health and Human Services (HHS), the scope of security risk analysis includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:
- Maintains; and
Security risk analysis includes six elements:
What is a Security Rule Risk Analysis Review?
Once all of the above six elements have been addressed, all documentation should be finalized. In addition, the security risk assessment should be periodically reviewed, and updated, as needed.
Continuous risk analysis review allows an organization to identify when updates to risk assessment policies and procedures are needed.
The Security Rule does not specify how frequently to perform risk analysis review. According to risk analysis guidance provided by the Department of Health and Human Services (HHS), some covered entities may perform risk analysis review annually or as needed (e.g., twice a year, every 3 years), depending on the circumstances of their environment.
What Factors Influence Whether Risk Analysis Review Should be Performed?
Factors to consider include:
- Changes in technology and business operations. When an entity implements new technologies and plans new business operations, the entity should consider performing a security risk analysis assessment. Adopting new technologies and new business operations may pose potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; a risk analysis review can identify these risks and vulnerabilities.
- An organization has experienced a recent security incident. If a covered entity has recently experienced a security incident, such as a data breach, risk analysis review should be conducted to determine whether and what additional security measures are needed.
- An organization has experienced change in ownership, or turnover in key staff or management. An organization that undergoes a change in ownership or that experiences key staff turnover, should evaluate, in light of the expertise of the departed and incoming individuals, whether existing security measures are sufficient to protect against risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. In addition, part of risk analysis consists of assessment of current security measures. Important security measures include policies and procedures, contained in an employee handbook or similar document, that address data security and define staff obligations to protect ePHI. Before incoming workforce members begin their jobs, policies and procedures contained in the handbook should be evaluated for sufficiency and accuracy, so that when these policies and procedures are distributed, new employees have the most up-to-date information required for them to protect ePHI.
- Regulatory and legislative changes. New legislation and regulations may impose additional or modified obligations under the Security Rule. If your risk assessment references a law or regulation, you should review that assessment to make sure it still complies with any changes made to the regulation. When new legislation is passed, or when new regulations become effective, the risk assessment should be reviewed and updated to incorporate the requirements of the new legislation or regulations.
Performing risk analysis review, and then making necessary updates to the risk analysis assessment, allows for your organization to reduce review identified risks to reasonable and appropriate levels.