The confidentiality of personal health data is one of the highest priorities in information security. As healthcare providers and organizations handle vast troves of protected health information (PHI), the need for robust security measures and unwavering HIPAA compliance cannot be overstated. 

Failure to maintain compliance with HIPAA (the Health Insurance Portability and Accountability Act) exposes healthcare businesses to substantial legal and reputational risks, underscoring the importance of conducting thorough security risk assessments — and one fundamental requirement for HIPAA compliance is a security risk assessment.

A HIPAA security risk assessment examines your compliance with the HIPAA Security Rule. It applies to both your own organization, and any business associates that handle PHI on your behalf. This article will explore what that risk assessment should encompass and how to perform it effectively.

Areas of the HIPAA Security Rule

The HIPAA Security Rule is both complex and challenging. It has three primary components. 

Administrative safeguards

These are the administrative actions, policies, and procedures to secure electronically protected health information (e-PHI), including electronic health records (EHR). These safeguards should address seven major points.

  • The security management process addresses organizational policies, procedures, and employee security training, including cybersecurity awareness and HIPAA compliance. It also outlines expectations for security risk assessment, analysis, risk register, and risk management plans.
  • Assigned security responsibility requires businesses to designate someone responsible for developing and implementing organizational policies and procedures by the Security Rule.
  • Workforce security stipulates that policies and procedures must give employees access to e-PH that they need to do their work, and that the access ends with the need to access the PHI.
  • Information access management says that covered entities must restrict PHI access to only those who need it.
  • Security awareness and training stipulates that covered entities must train employees in security policies, procedures, and practices.
  • Security incident procedures require policies and procedures in case of a security incident, so that employees know how to protect e-PHI.
  • Contingency plans address outages that aren’t breaches — say, those caused by a loss of power or a disaster — and require policies and procedures for assuring confidentiality, availability, and integrity in the event of a crisis.
  • The evaluation says covered entities must have up-to-date security monitoring and evaluation plans.
  • Business associate contracts and other arrangements require contracts with service providers and third parties that create, receive, maintain, or transmit PHI to meet specific HIPAA requirements.

Physical safeguards

Physical safeguards consider the concrete measures covered entities take to safeguard PHI, including building and equipment security. This includes the following.

  • Facility access controls require policies and procedures for restricting physical access to the buildings where PHI and its systems are stored, including data centers, IT staff offices, workstations, and peripheral equipment.
  • Workstation use and security requires physical security with restricted access for all e-PHI-accessible workstations.
  • Device and media control requires policies for receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility. Disposal of hardware, software, and patient data should also be addressed.

Technical safeguards

Technical safeguards (also known as cyber safeguards) protect e-PHI and control technological access, requiring access controls, audit controls, integrity controls, authentication controls, and transmission security controls.

  • Access controls concern policies and procedures for restricting electronic access to PHI to certain authorized users and software.
  • Audit controls stipulate that systems containing e-PHI must be monitored and their activity recorded. These controls also dictate audit procedures and frequency, evidence collection, results in analysis, and penalties for employee HIPAA violations.
  • Integrity controls address preventing and correcting PHI errors and unauthorized PHI changes or deletions.
  • Person or entity authentication governs how the identity of people and entities requesting access to PHI is authenticated.
  • Transmission security protects e-PHI in transit from compromise, including encryption.

What your HIPAA Security Risk Assessment Should Cover

A HIPAA security risk assessment assesses your compliance with the administrative, physical, and technical safeguards listed above.

The supporting risk analysis should identify risks, potential risks, vulnerabilities, and potential threats; and assess how well the safeguards you have in place address them. According to the U.S. Department of Health & Human Services (HHS), your risk analysis should include the following:

  • The scope of the analysis: this should include all electronic media containing, processing, or storing e-PHI.
  • Data collection: map the data flow and vulnerable areas on that map from start to finish.
  • Vulnerabilities and threat identification: identify and document reasonably anticipated threats to electronically protected health information (e-PHI) and vulnerabilities that might create a risk of inappropriate access to or disclosure of e-PHI.
  • Current security measures: assess and document which security measures now safeguard e-PHI, whether the HIPAA Security Rule requires them, and whether they are configured and used correctly.
  • Likelihood of threat occurrence: determine the likely impact of risks to the confidentiality, integrity, and availability of e-PHI. Assess how significant the effect would be if a threat were to trigger or exploit each vulnerability.
  • Potential impact of threat: determine the adverse effects of an attack on the confidentiality, integrity, and availability of e-PHI and the organization. Potential impacts should be listed with every vulnerability.
  • Risk level: assign risk levels for the threat and vulnerability combinations you’ve identified. Document the risk levels, including corrective actions to mitigate each level.
  • Periodic review and update: review and update the risk assessment as warranted. Some businesses may do this yearly; others bi-annually or every three years, depending on their circumstances.

To help small and medium-sized healthcare organizations conduct HIPAA security risk assessments, the National Institute of Standards and Technology (NIST) has launched, in tandem with HHS, a HIPAA Security Risk Assessment (SRA) Tool.

Frequently Asked Questions (FAQs)

How Do You Assess HIPAA Compliance?

Assessing HIPAA compliance involves a comprehensive review of an organization’s policies, procedures, and technical safeguards for protecting ePHI. This typically consists of conducting a HIPAA risk analysis, implementing appropriate security measures, training staff, and maintaining documentation of compliance efforts.

Is a HIPAA Risk Assessment Mandatory?

The HIPAA Security Rule requires covered entities and business associates to conduct risk assessments as part of their compliance obligations. A thorough risk assessment process is a core requirement for identifying potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

What Are the Key Components of a HIPAA Compliance Assessment?

A comprehensive HIPAA compliance assessment should include:

  • Risk analysis and risk management processes
  • Evaluation of administrative, physical, and technical safeguards
  • Review of policies and procedures related to ePHI handling
  • Assessment of workforce training and information security awareness
  • Analysis of business associate agreements and third-party vendor management
  • Examination of data breach notification and incident response plans
  • Adherence to CFR Title 45, which governs how people participate in medical research projects 

How Often Should a Risk Assessment Be Conducted?

HIPAA regulations don’t specify a fixed timeframe, but risk assessments should be carried out periodically to account for changes in the organization’s operations, information technology systems, or regulatory landscape. 

Best practices recommend conducting a full risk assessment annually, with reviews whenever significant changes (a merger or major change in IT systems, for example) could affect the security of ePHI. 

Simplify HIPAA Compliance with ZenGRC

Navigating the complexities of HIPAA compliance can be challenging, but ZenGRC’s powerful risk management platform is designed to simplify the process. With ZenGRC, you can streamline workflow management, centralize compliance activities, and map controls across multiple frameworks to identify potential gaps.

Leverage ZenGRC’s automation capabilities to focus on core compliance requirements while minimizing tedious tasks. Enhance efficiency, foster a proactive approach to governance, and ensure robust patient data protection.

Don’t let HIPAA compliance overwhelm your organization. Choose ZenGRC to streamline your journey toward regulatory compliance. Schedule a demo today and discover how our platform can transform your HIPAA risk management strategies.