The scorecard differentiates numbered safeguard components to be assessed for the organization, by department and within applications that contain ePHI. The HIMSS Risk Assessment toolkit is available at: http://www.himss.org/himss-security-risk-assessment-guidedata-collection-matrix. The tool includes NIST Special Publication 800-30 Revision 1 guidance for completing a risk assessment.
3. Determine the risk analysis frequency
One of the most prevalent challenges in complying with the HIPAA Security Rule’s risk analysis requirement is determining the frequency or triggering conditions for performing a risk analysis.
The HIPAA Security Rule and 2010 OCR risk analysis guidance state that risk analysis should be “ongoing” to document and update security measures as needed. The security rule states that continuous risk analysis should be completed to identify when updates are needed. OCR guidance notes that the frequency of performance will vary among covered entities.
Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment. Typically, covered entities that are attesting to Meaningful Use and complying with the spirit of the security rule will conduct an annual HIPAA risk assessment.
4. Perform the risk assessment: insource or outsource
HIPAA does not specify who should perform the risk assessment. Some organizations insource, some outsource and some do both – alternating between insourcing and outsourcing. For example, an organization may hire external resources to conduct the HIPAA risk assessment every other year, and on the off year, the organization may choose to conduct it internally. Where practical, a separation of duties should exist between the HIPAA risk assessment team and the systems implementers and operations staff. Hiring an outside professional to conduct the risk analysis reduces risk by providing an impartial assessment from someone who was not involved in the implementation of your systems or the development of your policies, procedures and security controls.
5. Support cost savings without sacrificing risk assessment quality
How do you contain costs in performing a HIPAA risk analysis? Use an industry standard tool for assessment and stick with it. The industry standard tools also help to define a clear scope of effort. Often organizations can become disconcerted trying to conduct a self-assessment with a previous year’s report provided by an outside professional.
Final analysis: What could be missed, overlooked or found?
Healthcare organizations must implement strong data security safeguards. Doing so supports compliance with the HIPAA Security Rule, reduces risk and helps ensure the confidentiality, integrity and availability of the ePHI the organization creates, receives, maintains or transmits. Conducting internal risk analysis along with annual risk assessments that leverage a professional services provider every other year also reduces risk and maximizes the value of the resources engaged. Finally, leveraging an industry standard toolkit will help your organization be comfortable with conducting self-assessments on alternating years while saving time and money.
Janice Ahlstrom, R.N., director of risk, internal audit and cybersecurity, Baker Tilly email@example.com
Kenneth Zoline, manager of technology risk and cybersecurity, Baker Tilly firstname.lastname@example.org
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.