All risk assessments, HIPAA - related policies and reasons why addressable safeguards have not been implemented must be chronicled in case a breach of PHI occurs and an investigation takes place to establish how the breach happened. Each of the HIPAA requirements is explained in further detail below. Business unsure of their obligation to comply with the HIPAA requirements should seek professional advice.
What should a Risk Assessment consist of?
Throughout the HIPAA regulations, there is a lack of guidance about what a HIPAA risk assessment should consist of. OCR explains the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities, and complexity.
However, OCR does provide guidance on the objectives of a HIPAA risk assessment:
- Identify the PHI that your organization creates, receives, stores and transmits – including PHI shared with consultants, vendors and Business Associates.
- Identify the human, natural and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
- Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
- Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
- Document the findings and implement measures, procedures, and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
- The HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.
As mentioned above, a HIPAA risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance. The HIPAA risk assessment and an analysis of its findings will help organizations to comply with many other areas on our HIPAA compliance checklist and should be reviewed regularly when changes to the workforce, work practices or technology occur.
Depending on the size, capability, and complexity of a Covered Entity, compiling a fully comprehensive HIPAA risk assessment can be an extremely long-winded task. There are various online tools that can help organizations with the compilation of a HIPAA risk assessment although, due to the lack of a “specific risk analysis methodology”, there is no “one-size-fits-all solution.
The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in the second phase of the audits not just to make sure that the organization in question has conducted one, but to ensure they are comprehensive and ongoing. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance.
The difference between the “required” safeguards and the “addressable” safeguards on the HIPAA compliance checklist is that “required” safeguards must be implemented whereas there is a certain amount of flexibility with “addressable” safeguards. If it is not reasonable to implement an “addressable” safeguard as it appears on the HIPAA compliance checklist, covered entities have the option of introducing an appropriate alternative, or not introducing the safeguard at all.
That decision will depend on factors such as the entity’s risk analysis, risk mitigation strategy and what other security measures are already in place. The decision must be documented in writing and include the factors that were considered, as well as the results of the risk assessment, on which the decision was based.