Although it seems everyone has their own definition of what a risk analysis/assessment should entail, HIPAA remains the ultimate authority. They define risk analysis as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]” (Section 164.308(a)(1)(ii)(A)). The outcome of your risk assessment will ultimately serve as justification for whether or not your practice will implement certain “addressable” HIPAA specifications and standards (an addressable specification is one negotiable based on the specific needs of your practice) (45 C.F.R. (164.306)). HIPAA’s definition of the terms Vulnerability, Risk, and Threat must be understood before you can truly know what they expect of your risk assessment (pg. 3 of PDF).
Before conducting your own risk assessment, you should know the universal elements HIPAA requires that all risk analyses/assessments include. First, the scope of the analysis must encompass “potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits.” (45 C.F.R. 164.306(a).). This means that the analysis must take into consideration PHI stored on any type of device and in any location.
Next, according to HIPAA mandates for data collection, your practice must identify and document where all e-PHI is “stored, received, maintained or transmitted.” Once the location of all PHI has been determined, you should document and assess security measures that are already being employed.
Then, HIPAA mandates that a practice determines the likelihood and potential impact of threat occurrence. The security rule requires protections against “reasonably anticipated” threats, which may vary according to your location, practice size etc. The probability of reasonably expected catastrophes on your list should be estimated and recorded.
The potential impact of threat occurrence will depend on the type of threat and the vulnerability affected. The potential impact of your listed threats through the exploitation of various vulnerabilities in your information security plan needs to be documented. Note: make sure to remember that different potential catastrophes may have the same potential impact on PHI: for example, an earthquake and tornado may both result in physical destruction of stored data.
The last required step in a HIPAA compliant risk-analysis is to determine the level of risk “for all threat and vulnerability combinations”. This simply involves assigning logical risk levels for the likelihood of the different potential threats and the likelihood of different types of impact on PHI. Finally, your security plan/measures should be amended to focus on preventing damage from these scenarios according to their probability. Stay tuned for a sample risk analysis in Part 3.