The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities and its business associates conduct a Risk Analysis of their healthcare organizations.
A risk analysis is required to help ensure compliance with HIPAA'S administrative, physical, and technical safeguards and can reveal areas where your organization’s Protected Health Information (PHI) could be at risk. One example of a vulnerability could be a flaw in building design, workflow, or network infrastructure that could lead to PHI being lost or stolen. Risk assessments should be ongoing, and periodically reviewed to evaluate the effectiveness of the security measures.
Who must follow HIPAA? The security rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information. Examples of covered entities include health care providers, doctors, clinics, hospitals, nursing homes, and pharmacies. HIPAA also applies to business associates that require access to PHI on a routine basis.
Security standards require covered entities implement safeguards to ensure confidentiality, integrity, and availability of PHI. HIPAA requires physical, technical, and administrative safeguards to be implemented, and although HIPAA is not technology specific and the exact safeguards that should be implemented are left to the discretion of the covered entity.
What is Considered As PHI under HIPAA? There are 18 identifiers that make health information PHI:
2) Dates, but not year
3) Phone numbers
4) Email address
5) Geographic information
6) Fax numbers
7) Social Security Numbers
8) Certificate/license numbers
9) Vehicle identifiers and serial numbers such as license plates
10) Medical record numbers
11) Account numbers
12) Health plan beneficiary numbers
13) Internet protocol addresses
14) Website URLs
15) Device identifiers and serial numbers
16) Full face pictures and other identifying images
17) Biometric identifiers (such as retinal scans and fingerprints)
18) Any unique identifying code or number
The Department of Health & Human Services (HHS) defines a risk analysis as an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity or business associate" and requires covered entities to protect against reasonably anticipated threats to the security of PHI. Although the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) do not specify an exact Risk Analysis procedure, they do issue periodic guidance and require certain elements be present in the Risk Analysis, such as:
· Scope analysis
· Data collection
· Vulnerabilities/threat identification
· Assessment of current security measures
· Likelihood of threat occurrence
· Potential impact of threat
· Risk Level
· Periodic review/update as needed
The penalties for willful neglect are increased under the HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act and these penalties can extend up to $250,000 with repeat or uncorrected violations extending up to $1.5 million. Under certain conditions, HIPAA's civil and criminal penalties now extend to business associates. Examples of common places where PHI is stored:
· Calendar software
· EHR/EMR systems
· Filing cabinets
· Mobile devices
It can be difficult to find every weakness in your organization on your own. To discover and avoid weaknesses in your system, you may consider internal vulnerably scanning, external network penetration testing and gap analysis consultation. If you need assistance with risk analysis and compliance, have other outstanding projects, or you are seeking a proactive IT provider, please feel free to contact us for a complimentary assessment.
Call: +1 (619) 330-6043