Part of the Administrative Safeguards section of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires doctors and other covered entities to conduct their own internal risk analysis. This purpose of this analysis is to gauge the likelihood of a data breach involving Electronic Protected Health Information (EPHI). While it may sound like a complicated process, conducting a risk analysis is actually easier than most people realize.
#1) Evaluate the Probability and Impact Data Breach
First and foremost, covered entities must analyze their system to determine both the probability and impact of a data breach involving EPHI. In other words, how likely is it that your practice will experience a data breach? And if a breach occurs, what type of damage can you expect to see?
#2) Implement Security Measures to Mitigate the Risk of Data Breach
The second step in conducting a HIPAA risk analysis is to implement security measures to protect against data breach. This may include the use of encryption, two-way authentication systems, firewalls, networking monitoring services, etc. These measures should be tailored to reduce the risk of data breaches identified in the first step.
#3) Document Security Measures and the Methodology Behind Them
Next, covered entities should document the security measures they are currently using and explain the reasoning why they chose them. If you plan on encrypting your data, for instance, include this information in your risk analysis report and reveal the reason why you chose encryption. Of course, the most obvious reason for using data encryption is to prevent unauthorized users from seeing or otherwise accessing the data.
#4) Maintain Reasonable and Appropriate Security Measures
The fourth and final step is to maintain reasonable and appropriate security measures. This is somewhat of a catch-all stipulation that's noted in the Department of Health and Human Services (HHS) website. While it doesn't address specific security measures, the HHS simply required covered entities to use reasonable and appropriate security measures. The purpose for this generalized requirement is to allow for the growth and expansion of technology within the healthcare field. As new devices and techniques are being used, HIPAA must maintain generalized requirements such as this to ensure they are covered as well.