Conduct a HIPAA Security Risk Analysis and Implement Appropriate Safeguards
For healthcare providers, security breaches involving protected health information (PHI) have become common occurrences. Many of these security breaches involve stolen laptops or other portable electronic devices, including CDs, DVDs, and USB flash drives. According to HIPAA, covered entities must ensure appropriate safeguards are in place to protect ePHI.
In addition, a risk analysis must be conducted to identify and implement the appropriate safeguards. There are 9 essential elements to incorporate into a risk analysis:
- Scope of the Analysis: Review all ePHI created, received, maintained, or transmitted by your organization.
- Data Collection: Gather and document the data on ePHI gathered using the methods above.
- Identify and Document Potential Threats: Identify and document any potential threats and vulnerabilities associated with ePHI.
- Assess Current Security Measures: Assess and document the current security measures used to protect ePHI.
- Determine the Likelihood of Threat Occurrence: Consider the likelihood of potential risks to ePHI.
- Determine the Potential Impact of Threat Occurrence: Consider the impact of potential risks to confidentiality, integrity, and availability of ePHI.
- Determine the Level of Risk: Analyze the likelihood of threat occurrence and the resulting impact to determine the level of risk.
- Finalize Documentation: Document the risk analysis from beginning to end.
- Review and Update the Risk Assessment: Update and document the risk analysis process on a regular basis.
Once you’ve conducted a risk analysis, start implementing appropriate security measures to protect ePHI and mitigate the risk of a security breach. Here’s a few examples of appropriate safeguards:
- Require two-factor authentication to gain remote access to systems containing ePHI.
- Enforce session termination on inactive portable or remote devices.
- Install and update anti-virus software on portable or remote devices.
- Install firewalls on laptops that store ePHI.
- Encrypt ePHI stored on laptops and other devices.
- Password protect all laptops or portable devices containing ePHI.
- Establish remote access roles specific to business requirements.
- Implement strong encryption for transmission of ePHI.
To learn more about the elements of a HIPAA security risk analysis, give us a call at (415) 963-9900 or send us an email at firstname.lastname@example.org. Tech Officers can help you conduct a thorough risk analysis and implement appropriate safeguards to protect ePHI.