51% of organizations are planning to increase security investments as a result of a breach. With the advancement of medical technology and the introduction of medical records, data breaches are becoming more common. This is why risk assessment is essential when handling protected health information (PHI) both in physical and electronic form. Being able to determine threats and vulnerabilities before you run into them can save you from lost data and possible fines.

Risk assessment is not only useful for intensifying possible threats but is also mandatory. The Health Insurance Portability and Accountability Act (HIPAA) states that covered entities and business associates must complete regular risk assessments to identify and document vulnerabilities within their organization.

But what does a HIPAA risk assessment look like? Is there a specific template to follow? In this blog, we will go over what exactly a HIPAA risk assessment is, why you need it, and steps to take to create your own risk assessment template.

• What is a HIPAA Risk Assessment?

• Why Do I Need a HIPAA Risk Assessment?

• Step 1: Determine What PHI You Have Access to

• Step 2: Identify Where Your Organization is Vulnerable

• Step 3: Identify the Likelihood of a Threat

• Step 4: Assess Your Current Security Measures

• Step 5: Determine Your Level of Risk

• Step 6: Determine the Potential Impact of The Threat

• Step 7: Develop Mitigation Strategies

• Step 8: Implement Mitigation Measures

• Step 9: Finalize Your Documentation

• Template Formatting

  • Section 1: Introduction

  • Section 2: Risk Assessment Approach

  • Section 3: System Characterization

  • Section 4: Threats and Vulnerabilities

  • Section 5: Risk Assessment Results

• Conclusion

When it comes to HIPAA risk assessments, we are talking about conducting a systematic evaluation of an organization’s processes, systems, and practices. All of this is in hopes of identifying any potential risks or vulnerabilities to PHI. By identifying these vulnerabilities, organizations can better assess the likelihood and impact of various threats as well as develop strategies to mitigate these risks.

While HIPAA doesn't give specific instructions on how to conduct risk analyses, there are some general steps suggested for everyone to follow. Although the needs and vulnerabilities of covered entities and business associates may differ, all organizations must provide documented proof of a conducted risk assessment.

So why do you need to conduct a HIPAA risk assessment? Sure it’s required, but some people need a little more convincing than that. Let’s take into consideration the fact that penalties for even a minor breach can really add up. With penalties capped at $1,919,173 per calendar year for the length of the breach.

If taking action to protect you and your company from severe fines and even jail time isn’t enough to convince you to take this seriously, I’m not sure what else to say here!

Find out what PHI your company has access to. Identifying where PHI travels throughout your company is a great way to map out potential threats and vulnerabilities. Look at where your organization creates, receives, maintains, and transmits patient health information. Find this information by:

• Reviewing past projects, as well as existing ones.

• Performing interviews and reviewing documentation.

• Using other data-gathering techniques and documenting all gathered information.

Like mentioned above, use the information gathered about your PHI cycle to locate any vulnerabilities. These aren’t always going to be obvious, so make sure to think outside of the box and brainstorm with your team.

Potential threats may include:

• Physical security risks.

• Cybersecurity threats.

• Employee actions (intentional and unintentional).

• Natural and environmental threats.

Remember to document this step, my friends!

Now that you identified your potential threats and vulnerabilities, it’s time to take things a step further and assess the probability it will come to fruition. Considering the combination of each threat and vulnerability will help you rate them according to the likelihood of an incident.

Rating methods that are common include labeling each risk as High, Medium, and Low. Another method involves providing numeric weight to express the likelihood of occurrence. Document, document, document!

As you complete the reviews, you can now assess the security measures you currently have in place. Include all measures such as administrative, physical, and technical safeguards. When looking over these security installments, consider their effectiveness in mitigating the risks you have found.

You should document the measures you already have in place, which should include both technical and non-technical. Technical measures include information hardware and software such as:

• Access control.

• Authentication.

• Encryption.

• Automatic log-off.

• Audit controls.

Non-technical measures include operational and management controls like:

• Policies.

• Procedures.

• Physical or environmental security measures.

Assign the level of the likelihood of threats and impact combinations to each identified risk. By doing so, you can appropriately prioritize the risks that require immediate attention. This also helps with allocating your resources more effectively.

When a threat is likely to occur and has the power to have a significant impact on your organization, the assigned level of risk is the highest. Threats that won’t have much of an impact and have a low chance of occurring, are low-risk levels.

Create a list of corrective actions once you document the assigned threat levels.

Consider any possible outcomes of each data threat. These can include situations such as unauthorized access or disclosure, permanent loss or corruption, and temporary loss or unavailability of data.

Loss of financial cash flow or physical assets are two additional (and very serious) results of an unchecked threat. After gathering this information, evaluate the impact of each outcome. Once you do this, make sure to include measures to take into account, which can be qualitative or quantitative. Document all impacts and ratings of each outcome.

You should be documenting pretty much everything up to this point if I didn’t make that clear already! Once you assess all risks, it is time for the next step. Develop strategies to mitigate or eliminate the threats.

Strategies should be specific, actionable, and above all tailored to your company’s particular needs. 

Now that you have your mitigation strategies written down and ready to use, it’s time to put them to the test. Implement these strategies to mitigate threats from malware, ransomware, and phishing.

Note that this might involve new and improved security measures, adjusting employee training, or upgrading software. Of course, the list can go on, but we are going to cap it at three of the most common examples to save time.

Examples of implementation of new and improved security measures might include:

• Making sure only certain employees have access to electronic protected health information (ePHI).

• Implement controls to prevent users from accessing more ePHI than they need to.

• Create a system to verify employee identity. This complies with the physical access, workstation security, and event logging requirements of the HIPAA Security Rule.

• Take inventory of all devices that have access to ePHI as well as the media it is on.

• Install a system that tracks the movement of devices and media.

• Make sure any devices that have access to ePHI are PIN-locked and have automated logoff capabilities activated.

Again, you should be documenting each step! We’ve made it to the end of the risk assessment. Finalize your document in a format that outlines and highlights the PHI you work with and any vulnerabilities. Finish your document with how you seek to mitigate these threats, and you’re done!

Here is a quick breakdown of a HIPAA risk assessment template which includes a short description for each section. Remember that this is a general template, so you may need to adapt this to your organization’s specific needs. 

Explain the reason for the document, why you need a risk assessment, and the scope. Document the flow of PHI within your company while describing all:

• System components.

• Elements.

• Field site locations. 

• Users (including the use of a remote workforce).

• Additional details about the EHR system.

Make sure to also document your IT systems as well as components and information. Include any removable media and portable computing devices.

Define any methods you use to perform the risk assessments including participants, techniques used to gather information, and the development of the Risk Sale.

Identify participants responsible for or interacting with the EHR, and include a list of their names and roles. List the methods that identify and inventory your ePHI data, physical processes and procedures.

Last, describe when you perform risk assessments and how you determine their impact. Include the risk-level matrix and risk classification levels in use. Note there should be at least three risk classification levels.

Identify any boundaries of the IT system as well as the resources and data making up the system. This characterization establishes the risk assessment scope effort and shows the authorization or accreditation pathway. Also, it provides information on connectivity, responsibility and support.

Details and documentation of all system-related information, system users, and data inventory is essential.

You should list all potential threats and vulnerabilities to the system. Feel free to include a brief description here and provide the more detailed results in a separate document. Threat identification, vulnerability identification, and security measures are the three big topics to cover here.

When talking about threat identification, you should create a catalog of reasonably anticipated threats. Note your most significant concerns will be human threats. This can look like a disgruntled ex-employee, criminals, vendors, patients, or anyone with a motive to use ePHI for their own gain.

Vulnerability identification must include both technical and non-technical shortcomings, such as:

• Incomplete/conflicting policies and procedures.

• Insufficient safeguards (both physical and electronic).

• Other flaws or weaknesses in the system. 

Document and assess the effectiveness of the security measures (both technical and non-technical) that are currently in place, as well as the new ones you intend to implement.

Last, document the results. In as much detail as possible, describe your observations, the measures of each risk, and any recommendations for security implementation/corrective action. Make sure to track any revisions or changes to your risk assessment. 

HIPAA risk assessments may sound difficult and involved, and they can be… but that’s exactly why I wrote this blog! HIPAA compliance is an important and ever-changing process, but having a structured template to follow can help you manage your system and stay ahead of the curve.

Regularly reviewing your risk assessment results, adapting to new threats, and making adjustments to your strategies are all essential. Conducting risk assessments annually or following any major company changes is also recommended.