HIPAA Risk Assessment: What is it and How Often Should You Have One?

HIPAA Risk Assessment: How Often Should You Have One?
17 Aug

HIPAA Risk Assessment: What is it and How Often Should You Have One?

By Danielle Kelvas MD

According to a 2021 study based on data from the U.S. Department of Health & Human Services (HHS), the frequency of data breaches involving healthcare institutions increased by 84% between 2018 and 2021. The overall number of victims increased dramatically from 14 million in 2018 to 41.45 million by 2021. Additionally, the number of healthcare breaches in the first five months of 2022 has nearly doubled from the same period in the previous year, according to data from the HHS Cybersecurity Program (1). On a positive note, there are precautions you can take to prevent from being another statistic in these data breach findings. This is why the need for a HIPAA risk assessment is critical. Anyone wishing to become HIPAA compliant and improve the safety of their sensitive information must first conduct a HIPAA risk assessment. In this post, we provide information about what a risk assessment entails, how to perform one, and how often it should be performed. Plus, we’ve included a checklist to make the process more clear, for your convenience.

What is HIPAA risk assessment?

Organizations are required to identify, prioritize, and manage any security breaches using a HIPAA risk assessment. This evaluation, which is an internal audit, looks at how protected health information (PHI) is safeguarded and stored. It’s beneficial to organizations because it can be used to find security vulnerabilities and strengthen the protection of information (1,2). The HIPAA Security Rule requires both covered entities and business associates of covered entities to perform HIPAA security risk assessments to keep PHI safe from breaches or other vulnerabilities (1,2).

Why are HIPAA risk assessments important?

Health data for many patients is electronically stored. Therefore, there is a possibility that their electronic protected health information (ePHI) can be breached. To identify vulnerabilities and continuously protect patient information, organizations must frequently analyze their security posture, and a HIPAA risk assessment is a method for fulfilling that requirement, and is mandatory for HIPAA compliance (1). Failure to adhere to HIPAA regulations may result in expensive fines, a damaged business reputation, and in some circumstances, criminal penalties. Updated security risk assessments can help you in maintaining information security and preventing any fines and penalties due to a violation of HIPAA regulations.

How to Conduct a HIPAA Risk Analysis

HIPAA doesn’t mention specific rules for how a risk analysis should be performed, because it recognizes that the needs and vulnerabilities of covered entities and business associates are different from one another, and different-sized organizations will have access to different levels of resources. However, an entity must still be capable of proving that it has performed a HIPAA risk analysis, and each HIPAA assessment must take several factors into account when being conducted (2).

Determine the Scope

The scope of your risk assessment will consider every potential risk to PHI, the devices ePHI is stored on, and where PHI is stored, whether that’s electronically or physically. When determining the scope, you should also be documenting where PHI is stored, received, maintained, and transmitted (2).

Identify Potential Vulnerabilities

Organizations need to examine and document any threats that can lead to a PHI breach. This can be accomplished by looking through previous or ongoing projects, conducting employee interviews, and analyzing documentation (1,2).

Assess Security Measures

Businesses should evaluate the security precautions taken to safeguard PHI and determine whether current security measures are properly used and configured. It is required to document every current security measure in place to safeguard PHI. HIPAA Security Rule requirements should then be compared to current security methods. Reassessing any gaps or incorrectly applied measures is necessary (2,3).

Determine Risk Levels

Organizations should estimate the likelihood of a threat occurring and its probable impact after identifying potential risks. Assign risk levels for all threat and security vulnerabilities that you have identified during the risk assessment. The assigned level of risk is highest when a threat has an increased likelihood to occur and will have a significant impact on your organization. The level of risk is lowest when the chance of that risk occurring is low and the threat won’t have much of an impact on the organization. Risks should be prioritized, and any steps taken to reduce them should be documented (3).

Finalize and Update

Documentation that clearly defines the PHI you work with, your vulnerabilities, and the steps you’ll take to try to minimize threats to the integrity of PHI should be used to finalize your risk analysis. Moreover, you should follow HHS instructions for evaluating and revising your risk assessment.

How often should you perform a HIPAA Risk Assessment?

In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. HIPAA doesn’t state a specific requirement about how often to conduct a risk assessment because the frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed. It is recommended this be updated bi-annual or every three years, depending on circumstances of their environment (3).

HIPAA Risk Assessment Checklist (2,3)

  1. Collect data: identify where PHI is stored, received, maintained, and transmitted.
  2. Identify and document potential threats facing PHI.
  3. Assess and document current security measures in place to protect PHI.
  4. Determine and document the likelihood of threat occurrence.
  5. Determine and document the impact of threat occurrence.
  6. Assign and document risk levels to each threat.
  7. Document what security measures are needed to prevent each risk.

It’s important to accurately document every step of your risk assessment and to review and update your risk assessment on a regular basis. If you need more information on the steps outlined, refer to the detailed steps mentioned above or refer to the U.S. Department of Health & Human Services website (2,3). Contact us today so we can help you meet all HIPAA compliance requirements. Sources:

  1. Electronic Medical Records in Healthcare. HHS Cybersecurity Program. Published Feb 17, 2022. Retrieved Oct 6, 2022 from https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf.
  2. The Security Rule. HHS. Published Sept 23, 2020. Retrieved Oct 6, 2022 from https://www.hhs.gov/hipaa/for-professionals/security/index.html.
  3. Guidance on Risk Analysis. HHS. Published July 22, 2019. Retrieved Oct 7, 2022 from https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.