What is a Risk Assessment?

Video 19 of 27
1 min 22 sec

In this lesson, we'll be going over what a risk assessment is, the purpose of risk assessments, and the benefits of having one regularly. At the end of the lesson, we'll provide you with a Word about what a HIPAA risk assessment should consist of.

A risk assessment is a process that helps your business or organization identify any potential risks and analyze what could happen if a breach or mishandling of PHI or ePHI occurs.

Risk assessments are required by the Office for Civil Rights. To become compliant, you must attest to 100 questions that the OCR provides. By conducting a thorough risk assessment, you should have a better idea of the amount of a risk your business or organization has, along with your exposure of all protected health information.

Pro Tip #1: The important thing to remember is that all covered entities and business associates are required by law to conduct a risk assessment.

The goals of doing a risk assessment are understanding your vulnerabilities if any exist and the potential of a data breach. A risk assessment can help identify areas where you can better secure all types of patient health data, from ePHI to paper charts.

Pro Tip #2: All covered entities and business associates must also produce a risk report from the risk assessment. The risk report should detail the level of the risk and a remediation plan to resolve any and all risks to PHI and ePHI.

ProHIPAA recommends that all covered entities and business associates conduct an annual risk assessment to comply with all regulations and determine your level of risk from year to year. This yearly approach to risk assessments will help ensure that any changes in your business or organization haven't affected the security of the protected health information of your patients or customers.

A Word About What a HIPAA Risk Assessment Should Consist Of

The U.S. Department of Health and Human Services (HHS) acknowledges that there is no specific risk analysis methodology. This may be due to covered entities and business associates varying significantly in size, complexity, and capabilities.

However, HHS does provide an objective of a HIPAA risk assessment – to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all PHI that an organization creates, receives, maintains, or transmits.

In order to achieve these objectives, the HHS suggests an organization should:

  • Identify where PHI is stored, received, maintained, or transmitted
  • Identify and document all potential threats and vulnerabilities
  • Assess current security measures that are currently in place to safeguard PHI
  • Assess whether the current security measures are being used properly
  • Determine the likelihood of a reasonably anticipated threat
  • Determine the potential impact of a data breach involving PHI
  • Assign risk levels for vulnerability and impact combinations
  • Document the risk assessment and take action where necessary

A HIPAA risk assessment is not a one time or singular exercise. Assessments should be reviewed periodically, and as new work practices are implemented, or new technology is introduced. HHS does not provide guidance on the frequency of reviews other than to suggest they may be conducted annually depending on an organization´s circumstances.

Do You Need a HIPAA Privacy Risk Assessment?

Due to the requirement for business associates to conduct risk assessments being introduced in an amendment to the HIPAA Security Rule, many covered entities and Business Associates overlook the necessity to conduct a HIPAA privacy risk assessment.

A HIPAA privacy risk assessment is equally as important as a security risk assessment but can be a much larger undertaking depending on the size of the organization and the nature of its business.

In order to complete a HIPAA privacy risk assessment, an organization should appoint a privacy officer who can identify organizational workflows and get a big picture view of how the HIPAA Privacy Rule will impact the organization's operations. Thereafter the privacy officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur.

The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy risk assessment and should be reviewed as suggested by the HHS as new work practices are implemented or new technology is introduced.