What is a HIPAA Security Risk Analysis?

The HIPAA Security Rule requires that covered entities (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a HIPAA-related transaction), and business associates (read more about business associates here), implement security safeguards.

These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.

Performing a security risk analysis is the first step in identifying and implementing these safeguards.  A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. 

Complete My Risk Assessment

What is the Scope of a Security Risk Analysis?

According to guidance issued by the Department of Health and Human Services (HHS), the scope of security risk analysis includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:

  • Creates;
  • Receives;
  • Maintains; and
  • Transmits

This includes ePHI in all forms of electronic media. Types of electronic media include hard drives, CDs and DVDs, smart cards, personal digital assistants, and portable electronic storage devices. 

Security Risk Analysis

The term “electronic media” is defined broadly, to include something as small as a single workstation, up to something as large complex networks connected among multiple locations. Security risk analysis must take into account all ePHI, regardless of the medium in which it was created, received, maintained, or transmitted, and regardless of its source or location.

Security risk analysis includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk

Element 1: Collecting Data  

To begin the security risk analysis, an organization must identify where its ePHI is stored, received, maintained, or transmitted.  It can do this in several ways, by:

  • Reviewing past or existing projects
  • Performing interviews
  • Reviewing documentation. 
Security Risk Analysis