Medicare Compliance & Reimbursement

HIPAA:

Bolster HIPAA Risk Analysis With These Expert Tips

Use the collected information to better safeguard patients and your organization.

Though the feds provide regulations to follow and tools to utilize to help you perform a HIPAA risk analysis, there are still myriad things to consider before you even get started.

For example: The type and size of your organization or factors into how you’ll assess and identify risks — and may determine how you’ll implement the necessary changes. Plus, financial and employee constraints may impact how much of your budget or workforce will go toward your HIPAA Security Rule compliance planning and management.

“Most organizations, regardless of size, struggle to properly scope the environment they’re evaluating,” cautions Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst with Security Metrics in Orem, Utah. “Under the HIPAA Security Rule, we care most about protecting ePHI, so the scope should include anywhere ePHI is created, received, transmitted, or stored. It’s important to remember networks and systems that have the ability to communicate with the primary scope as well.”

Figure Out What Your Risks Are Before You Start Analyzing

A common theme runs through many of the HHS Office for Civil Rights (OCR) settlements, especially among data security breaches. Covered entities (CEs) or their business associates (BAs) missed opportunities to better address their vulnerabilities at various levels of assessment, logging, monitoring, and testing. Remember, before you can analyze your risks, you must collect the data and that requires mechanisms for identifying threats.

“In general, most risk analysis frameworks consist of gathering information about the data and systems being evaluated, listing the threats and vulnerabilities related to them, assigning values to the likelihood and impact of a threat successfully executing against a vulnerability, and developing a prioritized list of risks based on these inputs,” Stone says.

Mapping out an action plan will help you form the risk analysis that’s best for your organization. Moreover, outlining your objectives not only will help you improve security but will give you an idea of what the overall cost will be from the fiscal to the professional.

“The analysis needs to be deep enough to provide a view into the security evaluation, direction, necessary corrections, [and] things to be watching, so that a reasonable, prioritized, actionable list of tasks can be created,” explains Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont.

Sheldon-Dean maintains that a good risk analysis provides a picture of these elements:

“a) the strength of security controls versus the threats;

b) the overall direction and momentum in improvements to security;

c) what should be done to improve security or correct deficiencies; and

d) an indication of what needs to be monitored and reviewed on a regular basis to ensure continued and improving security.”

He adds, “The issues should be sorted into a kind of a ‘fix this now,’ ‘fix this when you reasonably can,’ and ‘keep your eye on this’ set of priorities.”

Critical: Evaluating your organization’s data security and keeping up with risk analysis is just the first step. Using the information to improve data security and implement policies that safeguard ePHI is an essential step in the process, Stone says. “Unfortunately, there are organizations that perform risk analyses but fail to put measures in place to address risk. Even though it can seem overwhelming, organizations should not just have a plan to mitigate risk, they also need to work the plan,” she warns.