HIPPA Security Rule Risk Assessment

Covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the them.

Why have a HIPAA Security Rule Risk assessment?

  • Ensure compliance with the HIPAA Security Rule (initial requirement and Meaningful Use)
  • Demonstrate ongoing commitment to reducing risks of ePHI exposure
  • Avoid compliance penalties and fines
  • Reduce threats to systems and ePHI exposure
  • Increase confidence in the safety of ePHI

Benefits from a HIPAA Security Rule Risk Assessment

  • Identify potential ePHI exposures
  • Identify potentially vulnerable systems and data
  • Find areas where training may need improvement
  • Ensure appropriate controls are in place to protect ePHI
  • Provide recommendations to remediate risks

Initial Assessment of HIPAA Security Rule

The HIPAA Security Rule requires identification and implementation of a framework to protect patients’ privacy and to make sure medical information is secure.

Conducting a risk analysis or Risk Assessment is the first step required by the HIPAA Security Rule to identify and implement safeguards that assure compliance As part of the Risk Assessment you are required o “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a covered entity.” This Risk Assessment must include nine essential elements as identified by the Office of Civil Rights (OCR), the enforcement arm for HIPAA.

Periodic Review of HIPAA Security Rule

Guidance by the OCR notes that the risk analysis/assessment process should be ongoing. The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process and the frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.

 Meaningful Use Assessment

Conducting or reviewing a security risk analysis/assessment to meet the standards of the (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. Eligible professionals must conduct or review a security risk analysis/assessment for each EHR reporting period to ensure the privacy and security of their patients’ protected health information.