Planning your HIPAA Risk Analysis

by Sarah Harvey / February 16th, 2017

Preparing for HIPAA compliance can be an overwhelming undertaking if you’re uncertain where to begin. Starting with a formal risk analysis can help you determine how your current security posture stands up against HIPAA laws while creating a roadmap leading you towards compliance.

Why is HIPAA Risk Analysis Important?

Why is risk analysis important? First and foremost, a risk analysis is important because it is a requirement under the HIPAA Security Rule. The number one finding identified during the Phase 1 HIPAA audits was that organizations consistently struggled with the risk analysis. Completing a risk analysis provides benefits that go beyond compliance with a single requirement, it is the start of a compliance path. If you’ve never completed or are struggling with one, the first step in the formal risk analysis process is planning. It’s important to remember that incomplete planning means incomplete results.

A risk analysis is not the same as an overall HIPAA gap analysis. A risk analysis asks, how much exposure do we have to unauthorized access or disclosure of ePHI? While a gap analysis asks, how are we doing compared to what the regulations require? A risk analysis provides greater layers of information by showing how much exposure you have, identifying the controls you have in place, and determining how likely it is that a security incident will occur. All of this leading to any necessary corrective action.

Determining your Resources

Determining available resources for completing the risk analysis is the next step in the planning process. Who will lead the project? Do they have the proper experience to conduct the risk analysis? Do they have the support of the leadership team? Have they reviewed any past risk analyses? If they don’t have any previous experience they will need to be trained and given any necessary resources to become familiar with the process in order to perform a satisfactory risk analysis. If you do not have the internal resources available, there is also the option to seek an outside source to perform the risk analysis for you.

Determining Your Scope

The next step in planning the risk analysis is determining the scope. Jocelyn Samuels from the OCR said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise. An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” The risk analysis requirement only applies to ePHI, so that excludes any fax receipts or phone calls where PHI is discussed. The best way to determine what is considered in scope is to think in terms of ePHI processing. Where does ePHI enter and exit your organization? Creating an ePHI data workflow will help you outline the specific places in your organization that touches, receives, or accesses ePHI. Creating a visual representation of your workflow will be a huge resource for your risk analysis scoping process.

Information gathering can be useful during ePHI flow research. Analyzing any previous information security incidents, performing interviews with key staff, reviewing documentation, and looking at past and present ePHI projects, can help you validate the scope of your risk analysis.

Don’t forget that planning is important. When you’re ready to move forward to discuss threats and vulnerabilities, ensure that you’ve accurately captured the information you need to properly complete your risk analysis. Bring in internal resources who aren’t directly involved in the project and get feedback on any missing elements and present them with the documented plan you have established. For more information on risk analysis, contact us today.