Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
Each year healthcare professionals must conduct a HIPAA risk assessment to identify risks and vulnerabilities to protect patient/client’s health information. As the 2021 annual security risk assessment deadline approaches, it is important to understand what needs to be done to meet this requirement.
Components Needed for HIPAA Risk Assessment
As discussed below, there are six components that need to be addressed to conduct an accurate and thorough HIPAA risk assessment.
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
Each of these HIPAA risk assessment components will be reviewed in more detail below.
1. Collecting Data
The first step to completing a security risk assessment is ensuring that electronically protected health information is adequately protected by identifying where it is created, stored, received, maintained, or transmitted. HIPAA refers to this as “collecting data.”
2. Identifying and Documenting Potential Threats and Vulnerabilities
Once step one is completed, reasonably anticipated threats and vulnerabilities to ePHI must be documented. This includes how vulnerabilities can be potentially exploited by a threat and the risk of improper access or disclosure to ePHI that would occur as a result. HIPAA refers to this as “Identifying and Documenting Potential Threats and Vulnerabilities.”
3. Assessing Current Security Measures
The next step to completing a HIPAA risk assessment is documenting the current security measures you have in place to protect ePHI. Those security measures must meet HIPAA Security Rule requirements and be properly configured and maintained. HIPAA refers to this as “Assessing Current Security Measures.”
4. Determining the Likelihood of Threat Occurrence
Based on the threats you identified in step 2, you must determine the likelihood of potential risks to ePHI. HIPAA refers to this as “Determining the Likelihood of Threat Occurrence.”
5. Determining the Potential Impact of Threat Occurrence
Next, you must determine the impact of a threat if it triggers or exploits a vulnerability. Would the impact be severe, moderate, or low? If malware exploits a vulnerability, would the impact be severe? HIPAA refers to this as “Determining the Potential Impact of Threat Occurrence.”
6. Determining the Level of Risk
Lastly, you must determine the level of risk that identified vulnerabilities to ePHI pose. HIPAA refers to this as “Determining the Level of Risk.” By determining the level of risk vulnerabilities pose, remediation plans can be created accordingly, ensuring that those that pose the most risk will be addressed quickly.
Why Are HIPAA Security Risk Assessments So Important?
Conducting an annual security risk assessment is essential to maintaining PHI’s confidentiality, integrity, and availability. Without annual SRAs, PHI is left vulnerable to potential breaches. When healthcare professionals suffer a breach and fail to comply with the SRA requirement, they are in violation of HIPAA and are often subject to costly fines and corrective actions.
This Article Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help!
Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.
