Skip to content Skip to navigation

Getting the Most Out of a HIPAA Risk Analysis

October 17, 2012
| Reprints
Seven tips on implementing an assessment and acting on the results to reduce risk

Data breaches of patient data at patient provider organizations are an unfortunate fact of life in the healthcare industry—and it is a problem that is growing at an alarming pace. (For more on this, see Gabriel Perna’s story on data security in the October/November issue of Healthcare Informatics, which noted that the number of patients affected by breaches over the past year doubled, from 5.4 million to 10.8 million.)

I recently had an opportunity to speak with Danny Creedon, managing director of Kroll Advisory Solutions in New York, who offered actionable advice on what healthcare providers can do reduce their risk of breaches, which result in monetary penalties as well as damage to the reputation of an organization. “There’s a significant challenge in this new world of cyber-threats and cyber security, and it’s really important, even if you are a small organization and you are sitting on highly confidential patient and health information, that you take those threats seriously,” he says.

At a time when doctors’ offices and hospitals are digitizing their patient information, the risks to digital information are exploding, Creedon notes. “That by itself creates a risk focused industry.” He has put together seven tips to help healthcare organizations get the most out of a Health Insurance Portability and Accountability Act of 1996 (HIPAA) risk analysis.

  • When preparing your team, cast a wide net. To get the most comprehensive assessment possible, you’ll want to ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas—from IT and operations to human resources, compliance and legal to other key supervisors or managers. Once you’ve identified these stakeholders, establish protocols for tasks, timelines and communication among the team, just to make sure everything runs smoothly.

Too often an organization keeps the risk assessment or the compliance exercises either at the non-technical level or goes in the other extreme and uses only technical experts. Cross-organizational representation is critical, Creedon says: “You need a full spectrum of participants across the organization to be involved in the compliance exercise, because there are going to be legitimate questions about things like document retention and destruction of media, and those things that are handled at an organizational level; but there also are things like things, how often are fire walls rules reviewed, which are completely on the other end of the spectrum as it relates to highly technical information.” The team leader should be someone with enough visibility to impact activity across the organization, such as the CIO or chief compliance officer, he says.

  • Fully scope the risk assessment. Do you know what your compliance obligations are?  The HIPAA Security Rule requires “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI) held by the covered entity.” However, if you are working on attesting to Stage 1 meaningful use, your focus will likely be narrowed to that which specifically applies to your certified electronic health record (EHR) technology. For Stage 2, you will need to ensure that you have addressed encryption and/or security of data at rest. Regardless of your compliance requirements, make sure the scope of the assessment is clearly defined, and that your team understands and recognizes their focus.

Aside from meaningful use compliance, there are the broad areas of HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) requirements, Creedon notes. “At a minimum, you should have a broad compliance view of how you are doing as it relates to those longstanding regulations, and then I would layer on meaningful use as you get closer to 2015,” he says.

  • Take stock of your data. One of the key components of any assessment is determining how PHI and EPHI are received, stored, transmitted, accessed or disclosed. Once you have fully scoped your assessment, you can begin gathering the relevant data—a good place to start might be reviewing past or existing projects, performing interviews, reviewing documentation, or using your organization’s standard data-gathering techniques, if applicable. Be sure to include data that might be stored with a business associate or third party, or on removable media and portable computing devices. As part of the process, you’ll want to document your methods used to gather EPHI or PHI. 

Creedon advises establishing broad categories of information confidentiality, and identifying the types of security procedures required for each type of category; and then getting more granular, assigning the category types to each type of data.