The HIPAA Security Rule and Necessity of Risk Assessment

Risk - 2Though most would agree that risk analysis is an important consideration for any organization, HIPAA covered entities are required to conduct such risk assessment to ensure compliance with the HIPAA Security Rule. The Security Rule states that covered entities, organizations responsible for the transmission of e-PHI, must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization” (§ 164.308(a)(1)(ii)(A)).

While the necessity of risk assessment is certain, the Security Rule does not specify the frequency with which assessment must occur. Instead, the Rule addresses the breadth of analysis which must be conducted. The Rule indicates some considerations for analysis which include (but are not limited to) e-PHI within the organization, external sources of e-PHI, and potential threats to information systems that contain e-PHI. The Security Rule recognizes, however, that risk assessment cannot be standardized due to each organization’s unique relationship with e-PHI.

Listed below are the “Elements of a Risk Analysis”, provided by the U.S. Department of Health & Human Services. The list is intended to aid covered entities in implementing risk analysis methodologies that will best suit their needs.

  1. Section 164.308(a)(1)(ii)(A) states: Scope of the Analysis
  2. Data Collection
  3. Identify and Document Potential Threats and Vulnerabilities
  4. Assess Current Security Measures
  5. Determine the Potential Impact of Threat Occurrence
  6. Determine the Level of Risk
  7. Finalize Documentation
  8. Periodic Review and Updates to the Risk Assessment

LaSalle Consulting Partners, Inc. is familiar with several organizations that can assist with Risk Assessments. We can help in selecting the best firm to suit your needs. We can also help you prepare for an assessment and remediate any technology related risks that are identified during an assessment. Please contact Frank Zurek at frank.zurek@lpartnersinc.com or call 312-361-3313 for further information.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326