A federal Health Insurance Portability and Accountability Act (HIPAA) security risk assessment is an assessment of a health provider’s (also known as “covered entity”) and business associates’ compliance with the HIPAA Security Rule.

The U.S. Department of Health and Human Services’ (HHS) Office for Civil rights (OCR) administers the HIPAA Security Rule to ensure that patient health information (PHI) remains secure while also enabling healthcare providers to use the latest technologies.

Regarded as the most complex and challenging of HIPAA rules with which to comply-the others are the Privacy Rule, Omnibus Rule, and Breach Notification Rule-the HIPAA Security Rule comprises three areas:

Administrative safeguards-Administrative actions, policies, and procedures for use in securing electronically protected health information (e-PHI), including electronic health records (EHR). It comprises seven sections:

  • Security management process addresses organizational policies and procedures and training of employees in security, including cybersecurity awareness, and HIPAA compliance. It also spells out expectations for security risk assessment, security risk analysis, risk register, and risk management plans.
  • Assigned security responsibility requires covered entities to designate someone as responsible for developing and implementing organizational policies and procedures in accordance with the Security Rule.
  • Workforce security stipulates that policies and procedures must give employees access to e-PHI that they need to do their work and that the access ends with the need to access the PHI.
  • Information access management says that covered entities must restrict PHI access to only those that need it.
  • Security awareness and training stipulate that covered entities must train employees in security policies, procedures, and practices.
  • Security incident procedures require policies and procedures in case of a security incident so that employees know what to do to protect e-PHI.
  • Contingency plans address outages that aren’t breaches-caused by a loss of power, for instance, or a disaster, and require policies and procedures for ensuring the confidentiality, availability, and integrity in the event of a crisis.
  • Evaluation says that covered entities must have up-to-date security monitoring and evaluation plans.
  • Business associate contracts and other arrangements require contracts with service providers and other third parties that create, receive, maintain, or transmit PHI to meet certain HIPAA requirements.

Physical safeguards-This area considers the concrete measures covered entities take to safeguard PHI, including building and equipment security. Sections are:

  • Facility access controls, requiring policies and procedures for restricting physical access to the buildings where PHI and the systems containing it-including data centers, IT staff offices, workstations, and peripheral equipment.
  • Workstation use and security require physical security with restricted access for all e-PHI-accessible workstations.
  • Device and media control guide policies for “receipt and removal of hardware and electronic media that contain electronically protected health information into and out of a facility, and the movement of these items within the facility.” Disposal of hardware, software, and patient data should also be addressed.

Technical (cyber) safeguards-These protect e-PHI and control technological access to it, requiring access controls, audit controls, integrity controls, authentication controls, and transmission security controls.

  • Access controls concerns policies and procedures for restricting electronic access to PHI to certain authorized users and software.
  • Audit controls stipulate that systems containing e-PHI must be monitored and their activity recorded as well as audit procedures and frequency, evidence collection, results in analysis, and penalties for employee HIPAA violations.
  • Integrity controls addresses how to prevent and correct PHI errors as well as prevent unauthorized PHI changes or deletions.
  • Person or entity authentication concerns how the identity of people and entities requesting access to PHI is authenticated.
  • Transmission security regards protecting e-PHI in transit from compromise, including encryption.

What your HIPAA security risk assessment should cover

A HIPAA security risk assessment or gap assessment assesses your compliance with the administrative, physical, and technical safeguards listed above.

The supporting risk analysis should identify risks, potential risks, vulnerabilities, and potential threats, and assess how well the safeguards you have in place address them. Your risk analysis should include the following, according to HHS:

  • Scope of the analysis: Include all electronic media containing, processing, or storing e-PHI.
  • Data collection: Map the flow of data from start to finish as well as vulnerable areas on that map.
  • Vulnerabilities/threat identification: Identify and document reasonably anticipated threats to electronically protected health information (e-PHI) as well as vulnerabilities that might create a risk of inappropriate access to, or disclosure of, e-PHI.
  • Assessment of current security measures: Assess and document which security measures now safeguard e-PHI, whether they are required by the HIPAA Security Rule, and whether they are configured and used properly.
  • Likelihood of threat occurrence: Determine the likely impact of risks to confidentiality, integrity, and availability of e-PHI and assess how great the impact would be if a threat were to trigger or exploit each vulnerability.
  • Potential impact of threat: Determine what adverse effects an attack might have on the confidentiality, integrity, and availability of e-PHI and on the organization. Potential impacts should be listed with every vulnerability.
  • Risk level: Assign risk levels for the threat and vulnerability combinations you’ve identified. Document the risk levels, including corrective actions to mitigate each level.
  • Periodic review/update as needed: Some covered entities may do this yearly; others bi-annually or every three years, depending on their circumstances.

To help small and medium-sized healthcare organizations conduct HIPAA security risk assessments, the National Institute of Standards and Technology (NIST) has launched, in tandem with HHS OCR and the Office of the National Coordinator for Health IT (ONC), a HIPAA Security Risk Assessment (SRA) Tool.