HIPAA Security Risk Analysis
The Health Insurance Portability and Accountability Act (HIPAA) security rule requires that covered entities conduct an accurate and thorough assessment of risks and vulnerabilities to the confidentiality, integrity, and availability of electronic patient health information (ePHI). A security risk analysis (SRA) helps to ensure an organization is compliant with HIPAA’s administrative, physical, and technical safeguards. An SRA also helps reveal areas where an organization’s ePHI could be at risk.
Completing an SRA and correcting any deficiencies are requirements for many incentive programs such as the Quality Payment Program and the Promoting Interoperability Program (formerly Meaningful Use). Additionally, in May of 2021, The Office of the Inspector General (OIG) announced it would audit the U.S. Department of Health and Human Services (HHS) to determine whether HHS’s Office of Civil Rights (OCR) has performed periodic audits of hospitals to assess compliance with HIPAA Security, Privacy, and Breach Notification rules and determine whether these audits effectively assessed ePHI protections.
- Administrative, physical, and technical assessment
- Utilization of the guidelines in the National Institute of Standard and Technology (“NIST”) SP 800-30
- Conduct an accurate and thorough analysis of the potential risks and vulnerabilities
- A basic set of customizable security policies
- Vulnerability Scan
- Phishing Campaign
- Remediation list with recommendations
- Business Associate Agreement review and log
- Remediation assistance provided upon request
Not all breaches are preventable, but the best first step a facility can take is to take a deep dive into its security posture and self-identify where they are vulnerable before that vulnerability is exploited.