A HIPAA Risk Assessment is Mandatory: How to Avoid Audit Troubles

As a professional in the healthcare field, you obviously are very familiar with HIPAA, that ever-present reminder that data security is an issue that is always running in the background behind every activity that takes place in a medical professional’s workplace––as well as almost every supporting business that works with them. Everyone who works with personal health information (PHI) is aware that they are responsible for keeping that data secure. HIPAA is a few decades old, so the revelation that regulations exist to cover data security is not exactly news.

However, what may not be as clear to many who are covered by this law, is that they are not just responsible for just avoiding a breach-–they are responsible for showing that they have actively assessed the risks of a data breach and have taken precautions to eliminate or at least mitigate that risk. In other words, an organization can be fined for failing to do their due diligence and do as much as possible to recognize where a data breach could occur. That is, they could be fined even if no data has been breached, but they have allowed a situation to develop which creates vulnerability. HIPAA requires that organizations do a thorough risk assessment to protect their data.

This guide will argue that successful adherence to HIPAA regulations depends on an aggressive, proactive risk assessment. To truly be in compliance, HIPAA requires that you have a person or persons tasked with assessing all potential data breach risks. The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 and includes provisions that require that an individual’s personal health information remain secure and confidential. The 1996 law was reinforced by the passage of the HITECH Act in 2006, which addressed the risks created by the use of electronic medical records. As healthcare organizations keep moving to electronic record keeping, the threats to data security become greater. In addition, the 2006 law significantly increased the fines and penalties for HIPAA violations.


Basically, HIPAA does four things by which every person or organization who comes in contact with an individual’s healthcare data is affected.
  1. HIPAA creates  a right for patients to have the privacy of their healthcare data maintained and secured;
  2. HIPAA creates security regulations regarding all Protected Health Information and electronic Protected Health Information;
  3. HIPAA requires enforcement
  4. HIPAA requires notification of appropriate agencies and affected individuals in the case of a data breach. It is the requirement that specific security protocols be in place to protect PHI data.

However, before getting into the issue of protecting data, we need to understand exactly what data HIPAA seeks to protect.

Protected Health Information

HIPAA acts to regulate and secure what is known as Protected Health Information (PHI), sometimes known as Individually Identifiable Health Information (IIHI). With the HITECH Act, PHI now also includes electronically stored and maintained PHI, known simply as ePHI.

PHI and ePHI are any data, or combination thereof, that can be used to identify an individual. It doesn’t take much for information to qualify as PHI. Just a few examples of what constitutes PHI: a driver’s licence number, license plate numbers, photos, names of relatives, identified test results, SSN, medical ID, age, vmail, URLs, telephone numbers, email and postal addresses, and medical images. In other words, mostly everything collected by a healthcare organization falls under the protections of HIPAA. More importantly, any outside organizations that provide services to health-related organizations are also in “possession” of PHI. As a result, any organization who comes into contact with PHI, no matter how tangentially, is covered by HIPAA. Such organizations are responsible for maintaining PHI security, and subject to fines and penalties if PHI is breached. Additionally, they are now required to do a HIPAA risk assessment of all of their vulnerabilities and map out how they will work to eliminate or mitigate those vulnerabilities.

HIPAA’s requirement to secure that data: It’s not simple.


The process of determining all of your possible vulnerabilities in terms of data security is known as a risk assessment. Simply put, a HIPAA risk assessment should determine that your organization is in compliance with all of the privacy, security and breach notification requirements of HIPAA. This can be achieved via the risk assessment process; the goal of which is to identify all of potential areas of vulnerability. Given that so much data is now stored electronically, the risk of a data breach is considerably higher, and security is far more complex.

It needs to be noted that ignorance of any particular part of HIPAA regulations is not an excuse for non-compliance. Most importantly, failure to do a risk assessment, or to have conducted an
adequate risk assessment that failed to identify specific vulnerabilities is, in and of itself, a fineable offense. Failure to identify a potential risk does not have to be willful to be subject to penalties.


Who must do a Risk Assessment?

The reach of the HIPAA risk assessment requirement has been expanded and now covers almost any entity that touches PHI. In HIPAA jargon, both Covered Entities and Business Associates are now required to conduct a risk assessment. Covered Entities (CE) were the focus of the original 1996 law. These are entities that in the normal conduct of business, create, maintain, directly access and/or transmit PHI and ePHI. Examples of these entities are healthcare providers, clearinghouses, insurance plans, and employers who self-insure. Since then, updates to the law have expanded its regulatory coverage area to include Business Associates (BA). BAs are those entities which come into contact with PHI through that entity’s association with a CE. This expansion to BAs consequently pulls in a wide swath of possible organizations previously  uncovered. Examples could be law firms and accounting firms who provide service to a CE. Other examples might include IT contractors, managed service providers, billing firms, data storage centers, video and audio conferencing services, and even email servers. No matter how oblique their contact with PHI, even if it is just in the aggregate, BAs are now required, under the HITECH Act to conduct a HIPAA risk assessment, and are also subject to penalties.

What is a Risk Assessment?

First of all, a general observation is in order. A HIPAA risk assessment is not a simple project. In particular, because of the unique vulnerabilities of electronically stored and transmitted data, a professional in cyber security, data protection and data backups should be handling your risk assessment. To give an idea of the complexity, below is a quick list of what a risk assessment entails.

A risk assessment should first determine (a) where PHI resides, moves or is transmitted, and all of the access points. For example, who in an office has access to patient data and via what media (Interestingly the rise of mobile devices has created a new area of concern for data security because medical professionals now access data on their phones and tablets.)

Second, it should determine the vulnerabilities along all of these touchpoints. That means identifying the threats to data security, which HHS summarizes in four categories.

  1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
  2. Unintentional errors and omissions
  3. IT disruptions due to natural or man- made disasters
  4. Failure to exercise due care and diligence in the implementation and operation of the IT system.

(More info: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html)

Third, a risk assessment will need to identify and evaluate all of the existing security protocols to protect PHI.

Fourth, determine if these tools are sufficient for data protection, and whether the protocols and safeguards are being observed. Security protocols that are not observed aren’t security protocols.

Fifth, identify the likelihoods of a threat. In other words, not all risks are of equal likelihood. As there are limits to an organization’s capacity to eliminate risk, the focus should be on the ones which have a higher probability of occurrence.

Sixth, calculate the likely consequences of a breach of PHI. If a breach occurs along any particular touchpoint, how severe would it be? Would it be the release of a single piece of PHI, or one affecting thousands?

In short, this quick summary should make it clear that a thorough and supportable HIPAA risk assessment is a complex and involved process, even for a BA with minimal data contact. With the dominance of digitally stored, maintained and transmitted data, this assessment should only be handled by a thoroughly experienced data professional. Organizations that wish to avoid penalties as a result of an audit should contact a professional IT service provider with experience in the field of healthcare data security and the specifics of a HIPAA risk assessment.

How is your state of IT? Call Us: (855) 551-7760 with any questions.