HIPAA Risk Assessment and Privacy Rules


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the main Federal law that protects health information. The HIPAA Privacy and Security Rules protect the privacy and security of individually identifiable health information. HIPAA Rules have detailed requirements regarding both privacy and security.The privacy and security of patient health information is a top priority for patients and their families, health care providers and professionals, and the government. Federal laws require many of the key persons and organizations that handle health information to have policies and security safeguards in place to protect your health information - whether it is stored on paper or electronically.

  • The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the
  • The HIPAA Security Rule covers electronic protected health information (ePHI).

HIPAA Risk Assessment and Remediation Services

According to HIPAA, all such data, including credit cards, is considered Protected Health Information (PHI) and any organization that collects such data is required to keep it as secure as possible.Though the possibility for sensitive data loss varies from company to company, performing a HIPAA risk analysis allows any organization to identify weak spots and begin making plans to ensure data security.

Why HIPAA Risk Assessments are Necessary

The Department of Health & Human Services (HHS) requires all organizations it covers to conduct a HIPAA security risk analysis. By performing this HIPAA security assessment, an organization can ensure it is compliant with HIPAA's administrative, physical, and technical safeguards and other requirements. Some of these safeguards and requirements include:

  • Assigned security responsibility
  • Information access management
  • Security incident procedures
  • Facility access controls
  • Device and media controls
  • Audit controls
  • Person or entity authentication
  • Requirements for Group Health plans
  • Policies, procedures, and documentation requirements

The full list of HHS security standards, including detailed safeguards and requirements, can be viewed on here.Through performing a HIPAA security assessment, organizations can identify gaps in compliance, respond to immediate risks, and take preventative measures to protect against future risks. While the HHS Security Standards Guide outlines components of a risk analysis, the guide can be intimidating or difficult to fully understand.Obtaining an assessment through a third party can allow an organization to see their HIPAA risks in an easy-to-approach, easy-to-understand way. Strategic Management offers assessment services that evaluate an organization's compliance with the following:

  1. HIPAA Security and Privacy Rules requirements
  2. Overall data security measures

Components of HIPAA Risk Analysis

The HHS requires a HIPAA Risk Analysis to include the following 7 components:

  1. Scope of the Analysis. All electronic devices an organization uses to create, receive, maintain or transmit electronic Protected Health Information (ePHI) portable media, desktops and networks should be included in the risk analysis. This includes an overview of network security between multiple locations, a spot particularly vulnerable to cybercriminals.
  2. Data Collection and Storage. This section of the report reviews how electronic Protected Health Information (ePHI) is received, collected, and stored, determining whether data collection and storage is compliant with HHS regulations.
  3. Potential Threats & Risks. This section identifies potential vulnerabilities to an organization's data management, such as network and computer-based attacks (malicious software uploads or unauthorized access to ePHI); unintentional errors (such as inadvertent or inaccurate data entry or deletion); and IT disruptions (like those due to power failures, environmental disasters, or other scenarios where data access would be inhibited).
  4. Current Security Measures. This section reviews an organization's security measures to protect sensitive data from potential threats and risks. These security measures can be both technical security measures (such as encryption, two-factor authentication, and other technology-based measures) and non-technical (such as organizational policies, procedures, standards, guidelines, and accountability).
  5. Likelihood of Threat Occurrence. Through reviewing current security measures and potential threats, this section estimates the likelihood of a security breach or other vulnerability that could put ePHI at risk. This section classifies potential threats as high, medium, or low risk, giving management a clear understanding of which threats need to be addressed first.
  6. Potential Impact of Threat Occurrence. This section reviews potential threats to explain the maximum impact of a threat occurrence (usually in terms of cost and lost time), how many people would be affected, and the kinds of information would be exposed. This can help inform responses based on the kinds of data (for example medical records would reveal different data than billing/payment information and thus require a different response).
  7. Determine the Level of Risk. Finally, HIPAA risk management requires understanding the level of risk an organization faces. This information is determined from data produced in sections 5 and 6 of the report. The conclusions in this section can be qualitative or quantitative; the HIPAA risk analysis report does not require a specific type of conclusion, allowing the report to be tailored to the specific needs of an organization.

A properly conducted HIPAA Assessment will allow organization management to easily understand potential threats to sensitive data and what actions are required to reduce the risk of data loss.HHS recommends organizations conduct a risk analysis periodically. Ideally, a risk analysis will be completed whenever a company implements or plans to adopt new technology or business operations. For example, a new report should be produced when a company switches data storage methods from managed servers to cloud computing, or if a company experiences any ownership or key staff turnover.

HIPAA Security Assessment and HIPAA Risk Management Services

Are you wondering about your organization's data risks and in need of a current HIPAA security risk analysis? Contact the Interactive Security team at 267-824-2500 or sales@intactsec.com. We’re here to help make cybersecurity and compliance audits Obtainable, Simple and Affordable!