In this article I discussed that the Office for Civil Rights (OCR) is getting ready to begin HIPAA Security Audits. The audits should begin by the end of this year.  In an interview with Susan McAndrew, OCR’s deputy director for privacy, she mentions the importance of performing a Risk Assessment.

OCR has published a paper called:

HIPAA Security Standards: Guidance on Risk Analysis

Below are some highlights from the paper.

We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:
  • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
  • What are the human, natural, and environmental threats to information systems that contain e-PHI?

Organizations should use the information gleaned from their risk analysis as they, for example:

  • Design appropriate personnel screening processes. (45 C.F.R. §164.308(a)(3)(ii)(B).)
  • Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).)
  • Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).)
  • Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
  • Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

I encourage you to read the full paper to get a good overview of how OCR believes a Risk Assessment should be conducted.

Share

Related posts:

  1. Every Medical Practice Needs a CIO
  2. Minimize security risks by keeping software up to date
  3. OCR gears up for HIPAA / HITECH Audits
  4. Strange days indeed
  5. HITECH Breach Reporting Rule Withdrawn