An effective HIPAA security risk assessment enables covered entities and business associates to identify threats to the confidentiality, integrity, and availability of electronic PHI, and to implement policies and procedures that prevent, detect, contain, and correct security violations.
The requirement to conduct a HIPAA security risk assessment appears in the Administrative Safeguards of the Security Rule (45 CFR §164.308). When taken out of context, the implementation specification relating to risk assessments appears limited in scope inasmuch as it requires covered entities and business associates to:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
The language of the implementation specification could be interpreted as organizations have to conduct a one-off assessment on the security of electronic PHI maintained in their systems – with no thought to how it gets into their systems, how it is used once it is in their systems, and how it is transmitted through and out of their systems.
However, when considered with the rest of the Security Rule, a HIPAA security risk assessment is a living document that needs to be frequently updated (see §164.306(e) and §164.316(b)(2)(iii)) and frequently reviewed to determine – and adjust as necessary – the potential impact of all threat occurrences (see §164.306(b)(2)(iv)).
What Should be Included in a HIPAA Security Risk Assessment?
Because covered entities and business associates vary in size, complexity, and capabilities, there is no one-size-fits-all list of security threats and vulnerabilities to include in an assessment. However, HHS’ Office for Civil Rights (OCR) has provided guidance on how organizations can identify potential threats to the confidentiality, integrity, and availability of electronic PHI.
The guidance suggests organizations should identify all locations in which electronic PHI is stored, received, maintained, or transmitted, and identify potential threats and vulnerabilities that could result in a HIPAA violation or data breach. Thereafter, organizations should determine the likelihood of a “reasonably anticipated” threat and its potential impact.
With this information, risk levels should be assigned to each threat or vulnerability so that those considered most critical can be prioritized in remediation plans. Assessments, analyses, and remediation plans should all be documented, as should any policy changes that result from the risk assessment and any training provided on the policy changes where appropriate.
When conducting a HIPAA security risk assessment, it is important not to limit the assessment to just the Administrative, Physical, and Technical Safeguards of the Security Rule. This is because the Security Rule’s General Requirements (45 CFR §164.306(a)) state covered entities and business associates must:
Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
Ensure compliance with this subpart by its workforce.
Rule (3) is particularly important because it requires organizations to implement policies and procedures to prevent electronic PHI being used or disclosed in a manner not permitted by the Privacy Rule (“subpart E”). This may influence how organizations approach the assessment, identify potential threats and vulnerabilities, and/or remedy identified risks.
What Makes a HIPAA Security Risk Assessment Effective?
In addition to OCR’s risk assessment guidance, there are multiple sources of information about how to conduct a HIPAA security risk assessment. These range in complexity depending on an organization’s knowledge of HIPAA from the NIST Introductory Resource Guide (NIST SP 800-66) to the HITRUST Alliance Common Security Framework (HITRUST CSF).
Possibly the most valuable source with regards to making sure an assessment is effective is NIST SP 800-115 – The Technical Guide to Information Security Testing and Assessment. Although not produced for organizations subject to HIPAA, the Guide advocates a three-tiered assessment process consisting of testing, examining, and interviewing.
The inclusion of interviewing is noteworthy because, although a Security Officer may think (for example) an organization’s risk management and security procedures are complied with by all authorized personnel, it is only by discussing the security procedures with the individuals to who they apply whether or not the procedures are complied with in practice.
Discussing security procedures with the individuals to whom they apply also enables Security Officers to better determine the likelihood of a “reasonably anticipated” threat (i.e., based on an individual’s security awareness) and what measures might be best to implement in order to mitigate the likelihood of the threat or its consequences (i.e., data loss prevention software).
Further elements of the NIST Guide include assessing security through penetration testing, social engineering, and password cracking – three key elements that should be included in every HIPAA security risk assessment. Additionally, a section on Security Assessment Planning is also included which can help Security Officers in unique or complex environments develop a HIPAA security risk assessment that best meets their needs.
The Failure to Assess Threats is a HIPAA Violation
The requirement to conduct a HIPAA security risk assessment is a “required” implementation specification. This means that covered entities and business associates cannot implement an alternative measure on the grounds that a risk assessment is unreasonable or inappropriate. Additionally, ignorance of the requirement is not regarded as a justifiable excuse for failing to conduct a HIPAA security risk assessment.
In most cases, the failure to assess threats is only discovered when a data breach occurs and the breach is investigated by OCR. In such cases, the amount of the HIPAA penalty can be increased to reflect the organization’s lack of compliance. As examples, both the Cardionet data breach settlement of 2017 and the Premera Blue Cross data breach settlement in 2020 were increased to reflect the organizations’ “disregard for security”.
However, organizations have been fined for not conducting a HIPAA security risk assessment even when no data breach occurs. This was the case in 2021 when AEON Clinical Laboratories was selected for a compliance review by OCR and was found not to have conducted a HIPAA security risk assessment, implemented risk management and audit controls, or maintained documentation of Security Rule policies and procedures. The company was fined $25,000.
Therefore, it is essential that every covered entity and business associate conducts regular HIPAA security risk assessments, documents the assessments, and reviews the assessments on a frequent basis. Organizations concerned that they may not be fulfilling the risk assessment requirements – or that their risk assessments may be ineffective – are advised to seek professional compliance advice.