HIPAA Risk Assessments: What Kind of Privacy and Security Threat Analysis is Required for Compliance? 

Eric Seward June 17, 2020

Under HIPAA, covered entities are required to complete a risk assessment (also referred to as a risk analysis) to identify potential threats to their protected health information (PHI). “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule,” notes the Department of Health and Human Services.

Risk assessments should include a detailed evaluation of the potential threats to the confidentiality, integrity, and availability of any protected health information that an organization handles, whether physically or electronically. Covering all locations where PHI is created, collected, stored, or processed, the evaluation should address both technical and non-technical vulnerabilities, as well as the policies, processes, and technologies that are in place to counteract them. It must also include a risk level evaluation for each threat, covering the likelihood of each vulnerability being exploited and the potential impact of such an occurrence.

Risk Assessments vs. Gap Assessments

Many healthcare organizations complete HIPAA gap assessments, which determine how their current controls compare to regulatory requirements. However, gap assessments are higher-level, designed to identify controls that may be missing from an organization’s security posture. Because they do not include a risk level evaluation, the Office for Civil Rights (OCR) specifies that gap assessments do not meet the standards for a formal risk analysis.

Who is Required to Complete a HIPAA Risk Assessment?

The HIPAA risk assessment requirement applies to both covered entities (health plans/payors, providers, and clearinghouses) and business associates (the service providers that covered entities do business with). Organizations that do not complete an adequate risk assessment are not HIPAA-compliant – and the lack of an appropriate vulnerability assessment is one of the most commonly investigated HIPAA compliance issues by the OCR.

Risk assessments are also required for covered entities seeking Medicare or Medicaid incentives under the Meaningful Use / Promoting Interoperability / MIPS Programs. During the application process, providers must confirm that they have completed a qualifying risk assessment during the calendar year in which their reporting period occurs.

How Often are Risk Assessments Required?

HIPAA does not specify how often risk assessments need to be performed. The law requires “regular” analysis of safeguards, although organizations can interpret this in many ways. At minimum, best practices dictate conducting an annual risk assessment; the threat landscape changes often enough to warrant a yearly review. However, some organizations implement a more frequent schedule, such as once per quarter. Organizations should also conduct follow-up assessments any time there are significant changes to the control environment, such as the implementation of a new information management system.

HIPAA Breach Risk Assessments

The OCR also requires organizations to complete a risk assessment after a healthcare data breach. This requirement provides a consistent method for determining if the data was actually compromised; how quickly the breach was resolved; and how to prevent similar incidents in the future.

For a breach assessment, organizations must document:

  • The nature and extent of the PHI that was involved
  • The unauthorized person (or organization) that used, accessed, or received the PHI
  • Whether the PHI was acquired or viewed
  • The extent to which the risk has been mitigated

What is Covered in a HIPAA Security Risk Assessment?

The scope of a risk assessment can be tailored to the needs of each business. Telemedicine software vendors, for instance, have different obligations under HIPAA than data centers or hospital systems. In general, the larger the organization (and the more complex their information system), the broader their scope should be.

Without accounting for scope, common assessment questions include:

  • Physical risks
    • Does the organization’s physical office have alarm systems?
    • Are offices locked when not in use?
    • How does the organization control access to physical instances of PHI?
  • Administrative risks
    • Does the management team include a designated Privacy Officer?
    • Do employees complete security training as part of their onboarding process?
    • How are privacy policies enforced?
    • Is there a breach notification plan?
  • Technical risks
    • Is data encrypted in the appropriate systems?
    • Are passwords secure?
    • Does the organization conduct regular malware scans and penetration tests?
    • Are access logs created for each of the relevant systems?
    • Is there an adequate data backup and disaster recovery plan?

Once the risks are identified, organizations must consider the likelihood of each vulnerability resulting in a breach, as well as the potential level of impact.

Because the OCR does not mandate the use of a specific risk analysis methodology, organizations can choose an approach (e.g., threat-oriented, vulnerability-oriented, or impact-oriented) that is most appropriate for their business.

Self-Assessments vs. Third-Party Risk Assessments

HIPAA allows organizations to decide whether they want to perform their own internal risk assessment or work with an external auditor.

Organizations that perform their own assessments can turn to NIST Special Publication 800-30 for recommendations, or use the OCR’s downloadable SRA tool to streamline the process. However, self-assessments do require a significant amount of time and internal resources, as well as a comprehensive understanding of HIPAA requirements. Internal biases and flawed reporting methodologies can also influence the outcome, potentially allowing critical risks to go un-detected.

Conversely, a third-party risk assessment can help an organization more thoroughly evaluate their risks, threats, and potential impacts. Auditors that have specific experience in the healthcare industry can help covered entities select the most appropriate scope and methodology for their HIPAA risk assessment, while providing additional context for the results. While independent assessors cannot tell a business how to mitigate their risks, they can help management prioritize their remediation plans and build a more mature security program.

Any risk assessment – whether internal or external – needs to be properly documented, with a sufficient level of detail to demonstrate that the risk analysis was completed in an accurate and thorough manner. If an organization is audited by the OCR, they will need to provide written evidence of their risk assessment, among other factors.

Leveraging the Results of a HIPAA Security Risk Assessment

After a risk analysis, management must either accept the risks or implement controls to address them. In some cases, remediation may be as simple as minor updates to existing policies. In other cases, an organization may need to design and implement entirely new control groups.

Remediation should be planned in order of priority. Vulnerabilities that are most likely to be exploited should be addressed first, while those that pose a lower threat can be addressed in a later phase of remediation.

Beyond initial remediation, organizations should regularly evaluate their long-term risk management strategy – not only as it relates to HIPAA compliance, but also federal, state, and industry-specific regulations that they are also required to meet. Their strategy should include key decisions regarding organization-wide information security programs, as well as:

  • The desired response to risk (e.g., acceptance, avoidance, mitigation, sharing, or transfer)
  • Selection protocol for new information technologies and third-party vendors
  • Conformance to enterprise security architectures
  • Ongoing monitoring/testing strategies

This information should be thoroughly documented and communicated to key stakeholders within the organization.

Get Started with a HIPAA Risk Assessment

360 Advanced provides HIPAA risk assessment services to covered entities and business associates. With more than 10 years of experience in the healthcare industry – and clients ranging from software vendors to Fortune 500 health plans – we can help you take the steps you need to achieve HIPAA compliance. Our team can guide you through every step of your initiative, from a security risk assessment and gap assessment to a full HIPAA privacy and security compliance assessment.  Request more information here.