As part of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, doctors, chiropractors, dentists and other covered entities are required by law to conduct a risk analysis on a regular basis. This process is intended to provide instructions on how to implement and facilitate the Security Rule through an assessment of the covered entity's risks and vulnerabilities regarding Electronic Protected Health Information (EPHI).
Example Components of a HIPAA Risk Analysis
To help covered entities conduct meaningful and effective risk analyses, the U.S. Department of Health and Human Services has published several example questions on its website. While these questions aren't a requirement of a risk analysis, nor any other part of HIPAA, they should give you a better idea of how to conduct such an analysis.
- What type of EPHI does your practice create, receive, maintain and/or transmit?
- Are there are types of external EPHI present
- What privacy threats does your practice face that could threaten the integrity of EPHI?
A key element of a HIPAA risk analysis is the way in which data is stored. Covered entities must specify where exactly EPHI is stored in their analysis. This may include local hard drives, USB flash drives, external devices, or even the cloud. Keep in mind that if EPHI is stored on the cloud – and a separate third-party entities has control over the cloud – you must create a Business Associates Agreement (BAA) for that cloud provider. BAAs required in all cases in which a third-party entity has access to a covered entity's PHI.
All covered entities must also “identify and document” potential threats to EPHI. Because each and every circumstance is different, there's no specific guidelines that covered entities must follow when identifying and documenting threats to EPHI. The HHS simply states that covered entities must document any threat that poses a risk of unauthorized access to EPHI.
Document Security Measures
What type of security measures does your practice use to safeguard EPHI from unauthorized use or disclosure? As part of a HIPAA risk analysis, covered entities must assess and document all measures used to protected EPHI from unauthorized access or disclosure. This may include the use of encryption, access control systems, firewalls, virus scanners, etc.