HIPAA Risk Analysis requirements under the Security Rule

 Section 164.308(a)(1)(ii)(A) states: RISK ANALYSIS (Required). Conduct an accurate andthorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity,and availability of electronic protected health information held by the [organization].

There is no single method or even a “best practice" for performing a risk analysis that guarantees compliance with the Security Rule. However, the risk analysis must include vulnerabilities to the confidentiality, availability and integrity of all ePHI that an organization creates, receives, maintains or transmits. This includes ePHI in all forms of electronic media: hard drives, floppy disks CDs, DVDs, smart cards, personal digital assistants, transmission media, or portable electronic media. This can be a single workstation or a complex network between multiple geographical locations.

Your analysis must identify all these information storage locations and then assess the potential threats and vulnerabilities.

• What happens when a provider takes home a laptop or accesses ePHI from a personal device at home or while traveling?

• Do providers text ePHI? Does anyone on your staff text with patients?

• How many of your staff members use the same password? Does this password allow

unnecessary access? Could staff members alter, delete, transmit or disclose information they should not?

• Do you have employees or contractors who work from home? How secure is that environment?

• How do your business associates protect the ePHI they handle on your behalf? The list of risks continues.

The big concern at this time is, “What do you do with the information learned from the analysis?” Conducting the analysis is the first step, but it is not the last step. Based on findings from the analysis, covered entities and business associates must implement improvements in their security program.

Here are some improvements that might be indicated:

• Encryption for all devices and storage

• Adding a VPN (virtual private network)

• More thorough screenings for potential employees

• Verifying authentication capability to ensure integrity of information

• Automatically updating anti-virus, malware software and operating systems security patches

• Installing a better firewall

• Improve backup process, implement disaster recovery, including mock events and test restores

• Verify functionality of UPS (uninterruptable power source)

• Add a checklist for close of business each day—are all applicable doors locked?





 ANN BACHMAN, CLC (AMT), MT (ASCP) is a DoctorsManagement partner, Director of OSHA, CLIA, HIPAA Compliance Department. She is also the founder and Executive Director of the American Association of Physician Offices and Laboratories (AAPOL).

Ann Bachman can be contacted at 800-635-4040