HIPAA tips: understanding risk analysis and risk management

In our last blog post, we discussed the individual’s right of access to their healthcare records and what you could do to ensure you were correctly informing your patients and clients of their rights. In today’s post, we’ll talk about the importance of risk analysis and risk management. The 2016–2017 HIPAA audits industry report revealed that of the audited entities, only a small percentage of covered entities (14 percent) met the requirements for safeguarding electronic protected health information (ePHI) through risk analysis. And 94 percent of covered entities failed to implement the HIPAA Security Rule requirements for risk management that would reduce risks to a reasonable level. 

In this post, we’ll explain what risk analysis and risk management are and what you can do to ensure that you’re adequately protecting your clients’ ePHI.

What is risk analysis?

Risk analysis involves identifying a practice’s digital assets, including all ePHI created, maintained, received, or transmitted by the practice and identifying the risks and vulnerabilities posed to the confidentiality, integrity, and availability of that ePHI. As part of completing a risk analysis, you will also rate the risks and vulnerability by considering their likelihood of occurring and their impacts on the practice. This rating will give you an idea of where to focus your risk management efforts.  

Common problems

As mentioned earlier, few of the audited practices referred to in the report were adequately conducting risk analysis. Here are some of the most common problems that were identified:

• Failure to properly identify ePHI
• Failure to properly identify and rate the risks and vulnerabilities
• Failure to develop, maintain, and update the policies and procedures for risk analysis
• Practices often relied on third-party security vendors that didn’t conduct risk analyses or develop policies and procedures for specific practices

Risk analysis - what you can do 

Completing a risk analysis (or risk assessment) might sound intimidating, but it doesn’t have to be, and you don’t have to do it all in a day. A good risk analysis plan is easy to follow and allows you to go through the steps when you have time. Here are some of the things you can do and resources you can use to get the job done in a timely manner.

• Develop policies and procedures for completing the risk analysis. Spell out exactly how you plan to conduct your risk analysis and update your policies and procedures as your practice changes.
• Conduct the risk analysis. See the resources below for useful guides on how to do this.
• If you’ve already conducted a risk analysis for your practice, review it and make any necessary updates. This is especially important now since there have been so many recent changes to the healthcare environment due to the pandemic.

Resources

• The ONC/OCR Security Risk Assessment Tool is a downloadable tool to help healthcare practices conduct a security risk analysis as required by the HIPAA Security Rule
• Hushmail’s blog post Is your new virtual practice secure? Conduct a risk assessment. explains the steps of a risk analysis and includes a downloadable guide

What is risk management?

Risk management comes after you’ve conducted the risk analysis and identified all of your digital assets, including your ePHI, and their risks and vulnerabilities. As stated in the 2016–2017 HIPAA audits industry report, risk management is the “implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” 

Common problems

Most of the audited covered entities (94 percent) failed to properly implement risk management processes that would protect their digital assets and their clients’ and patients’ ePHI. Here are some of the common oversights:

• Entities completely failed to provide appropriate technical safeguards to protect ePHI
• Policies and procedures showed a lack of understanding of what was necessary to mitigate the risks and vulnerabilities to ePHI
• Entities focused only on one type of ePHI (such as ePHI handled by an EHR) and failed to assess or mitigate risk to other forms of ePHI
• Entities failed to update their risk management plan

Risk management - what you can do 

Once you’ve conducted your risk analysis, you’ll see the areas that are in need of additional attention. You can then take remedial steps such as:

• Documenting your security policy and procedures
• Conducting regular staff trainings on your practice’s security policy and procedures
• Using encryption where appropriate
• Obtaining signed BAAs from all third-party service providers that handle your practice’s digital assets, including its ePHI
• Strengthening passwords and/or subscribing to a reliable password manager

Resource

Hushmail partner Person Centered Tech offers training on risk analysis and risk mitigation (management).

Risk Analysis and Risk Mitigation HIPAA Security Module

Sign up for a secure email and web form service

One of the best ways to protect the ePHI in your communications with clients is to use an encrypted, HIPAA-compliant email and web form service. Hushmail for Healthcare was developed specifically for healthcare practitioners and comes with a signed BAA.