What is a HIPAA Compliance Assessment?

A HIPAA compliance assessment is a review of an organization’s policies, procedures, and work practices concerning HIPAA law and regulations. These policies, procedures , and practices are part of a collective HIPAA compliance program. A HIPAA compliance assessment should address two “R”s: Readiness and Risk. 

What is a HIPAA Compliance Assessment? Readiness Review

One component of a HIPAA compliance assessment is a readiness review. In a readiness review, an organization (a covered entity or a business associate) reviews its documentation, conducts interviews with staff, and assesses existing work practices. The organization then writes down, and puts into a report, any observed HIPAA compliance deficiencies. The readiness review should constitute a list of specific deficiencies observed. The mental inquiry behind the readiness review should be, “Were an auditor to visit today, what would I need to be immediately concerned about?”

Would you pass a HIPAA audit? Take this quiz to find out! 

What is a HIPAA Compliance Assessment? Risk Assessment

Per guidance issued by the Department of Health and Human Services (HHS), a risk analysis is a comprehensive analysis of risk to an organization’s computer systems. This security risk analysis, which is also referred to as a security risk assessment, reveals potential risks and vulnerabilities to the confidentiality, availability, and integrity of all electronic protected health information (ePHI) that an organization creates, receives, maintains, stores, and transmits.

What is a HIPAA Compliance Assessment? The Six Risk Assessment Steps

A security risk analysis includes six elements:

  1. Collecting Data: To begin the security risk analysis, an organization must identify where its ePHI is created, stored, received, maintained, or transmitted. It can do this in several ways. These methods include reviewing past or existing projects, performing interviews, and reviewing documentation. The data gathered on the ePHI during the collection process must be documented.
  2. Identifying and Documenting Potential Threats and Vulnerabilities: Here, the organization identifies and documents threats to ePHI that it can reasonably anticipate. The organization also identifies and documents vulnerabilities which, if exploited or triggered by a threat (i.e., malware, virus), would create a risk of improper access to or disclosure of ePHI.
  3. Assessing Current Security Measures: Here, organizations must make a series of assessments and document those assessments. Organizations must assess the security measures they use to safeguard ePHI, assess whether security measures required by the Security Rule are already in place, and assess whether current security measures are configured and used properly. An organization must document all of these assessments.
  4. Determining the Likelihood of Threat Occurrence: Here, organizations must assess the likelihood of a potential threat to ePHI materializing. The results of this assessment, along with the list of threats that is the product of step 2, above, will reveal what threats the organization should regard as “reasonably anticipated,” that is, threats which have a fair probability of occurring.
  5. Determining the Potential Impact of Threat Occurrence: After an organization determines the likelihood of threat occurrence, it must assess the impact of potential threats to the confidentiality, integrity, and availability of its ePHI. Threats that trigger or exploit a vulnerability should be analyzed, and rated by how significant the threat impact would be to business operations if the threat were realized. 
  6. Determining the Level of Risk: The level of risk is determined by evaluating ALL threat likelihood and threat impact combinations an organization has identified in the analysis up to this point. The level of risk is highest when a threat 1) is likely to occur; AND 2) will have a significant or severe impact on an organization if it does occur. For example, if a mobile device is completely unsecured, and contains significant amounts of ePHI, there is a high probability the device will be lost, stolen, or hacked, and that this will result in unauthorized ePHI access that will harm an organization. When threat likelihood and severity are both high, as here, the level of risk should be classified as “high.” In contrast, if there is a low risk of a threat occurring, AND the threat’s occurrence will have little to no impact on the organization, the level of risk is relatively low.    

Once the organization has assigned risk levels, it should document those levels, and document the results of the HIPAA compliance assessment it has performed above.