According to the
department of Health and Human Services all the covered entities need to carry
out the HIPAA risk analysis. This is one of the first and one of the
most important steps for achieving HIPAA compliance. There are nine mandatory
requirements of this analysis, which every healthcare organization and
healthcare related organizations that transmit protected health information of
PHI electronically need to follow.
1. Cover all the potential
risk factors:
All the risk factors need
to analysed. This will include electronic media, network security between
different locations etc. The HIPAA hosting terms will a business associate is
also included in this.
2. Security of the
collected data:
The organization must
check where all the data is collected and how the data is being stored. If it
is being collected at a data centre then they need to make sure that the data
centre is following all the guidelines and all the details are being
documented.
3. Documentation of
potential threats:
The organization must
identify the areas where there is a possibility of protected health information
getting leaked. They need to document these vulnerable areas so that
appropriate measures can be taken.
4. Assessment of current
security measures:
Check and assess all the
current security measures. This will include the authentication details,
encryption of data and all other measures that are being taken in order to
ensure that all the data is secure.
5. Determination of
possibility of threat:
Here the concerned entity
needs to check whether there is any possibility of threats to the data. They
need to analyze if there is threat of data theft or data loss.
6. Determination of the
impact of the threat:
The organization needs to
check what will be the impact of this threat. They can make use to qualitative
and quantitative methods to determine the degree of impact of the threat.
7. Determination of level
of risk involved:
The entity needs to check
out the level of risk involved and how this will influence the overall
compliance policies.
8. Documentation:
The organization needs to
keep in mind that all these details need to be well documented. There is no
specific format, but all the details have to be submitted to the HHS in
writing.
9. Review and updates:
It is important for the
organization to understand that this is an ongoing process. Once you have
submitted the report to the HHS does not mean that you are done with the job.
You need to review all the details from time to time. If there are any updates
then the same needs to be documented and has to be submitted to the HHS.
The HIPAA risk analysis
is a very crucial aspect. All the concerned organizations need to take it
very seriously. They need to analyse all the aspects in order to avoid any
problems at a later stage. They need to keep in mind that if they do not
address the potential threats at a early stage then it can lead to serious
problems.