If your organization deals with protected health information, or PHI, the Department of Health and Human Services requires you to perform risk analysis as the first step to implement the safeguards specified in the HIPAA Security Rule, and ultimately achieve HIPAA compliance.
This includes all HIPAA hosting providers.
But what is a risk analysis? And what should be really included in your report?
The Health and Human Services Standards Guide outlines the nine components of compulsory risk analysis.
By conducting a comprehensive HIPAA risk assessment, it is very difficult to do on their own. You may want to contract with HIPAA auditors to help you.
Most people do not know what to find out, or they end up passing things because they do not understand data security.
If risk analysis is important to your security, then you do not want to ignore the key elements in the analysis.
There are nine components that health organizations and health-related organizations that store or transmit protected electronic health information must be included in their documents:
1. Scope of Analysis
To identify your scope – in other words, the area of your organization you need to secure – you need to understand how the patient’s data flows in your organization.
It covers all the electronic media your organization uses to create, receive, maintain or transmit portable media, desktop and ePHI networks.
There are four main parts to consider when determining your scope.
Where PHI starts or enters your neighborhood.
What happens after that in your system.
Where PHI leaves your entity.
Where potential or leakage exists.
2. Data Collection
Here is a list of places to get you started in the documentation where PHI enters your neighborhood.
Email: How many computers do you use, and who can log in to each?
Text: How many mobile devices are there, and who owns them?
EHR entry: How many staff members are included in the data?
Fax: How many fax machines do you have?
USPS: How are incoming mail handled?
New patient paper: How much paper does the patient have to fill? Do they do this at the front desk? Test room? At another place?
Communication business associates: How do business partners communicate with you?
Database: Do you accept a marketing database of potential patients to contact?
It’s not enough to know where PHI started. You also need to know where to go when you enter your neighborhood.
To fully understand what is happening with the IRC in your environment, you should record all hardware, software, devices, systems and data storage locations that touch the IRC in any way.
Then what happens when the IRC leaves your hand? It is your job to make sure it is transmitted or destroyed in the safest way possible.
Once you know all the places where PHI is placed, transmitted, and stored, you will be better able to protect those vulnerable places.
Identification and Document of Potential Vulnerability and Threats
Once you know what’s happening during the PHI’s lifecycle, it’s time to find a gap. This gap creates an environment for unsecured PHI to leak inside or outside your environment.
The best way to find all possible leaks is to create a PHI current diagram documenting all the information you find above and putting it in a graphical format.
Viewing diagrams makes it easier to understand the PHI path and to identify and document anticipated vulnerabilities and threats.
Vulnerability is a defect in components, procedures, design, implementation, or internal control. The vulnerability can be fixed.
Some examples of vulnerabilities:
The website is incorrectly encoded
No office security policy
The computer screen is in view of the public patient waiting area
Threats are the potential of a person or object to trigger a vulnerability. Most threats remain outside your control to change, but must be identified to assess the risks.
Some examples of threats:
Geological threats, such as landslides, earthquakes, and floods
Hackers download malware to a system
The actions of members of the work force or business associates
Again, even if you are above average in terms of compliance, you may have little understanding of vulnerabilities and threats. It is important to seek professional help for your HIPAA risk assessment.
Assessing Current Security Measures
Ask yourself what kind of security measures you take to protect your data.
From a technical perspective, this is the case