HIPAA Security Risk Assessment?
A federal HIPAA security risk assessment is an tool of a health provider’s and business associates’ compliance with the HIPAA Security Rule.
The U.S. Department of Health and Human Services’ (HHS) Office for Civil rights (OCR) administers the HIPAA Security Rule to ensure that patient health information (PHI) remains secure while also enabling healthcare providers to use the latest technologies.
The HIPAA Security Rule comprises three areas:
Administrative safeguards
- Security management process
- Assigned security responsibility
- Workforce security
- Information access management
- Security awareness and training
- Security incident procedures
- Contingency plans
- Evaluation
- Business associate contracts and other arrangements
Physical safeguards
- Facility access controls
- Workstation use and security
- Device and media control
Technical (cyber) safeguards
- Access controlsconcerns
- Audit controls
- Integrity
- Person or entity authentication
- Transmission security
HIPAA security risk assessment covers…
A HIPAA security risk assessment or gap assessment assesses your compliance with the administrative, physical, and technical safeguards listed above.
The supporting risk analysis should identify risks, potential risks, vulnerabilities, and potential threats, and assess how well the safeguards you have in place address them. Your risk analysis should include the following
Scope of the analysis
- Data collection
- Vulnerabilities/threat identification
- Assessment of current security measures
- Likelihood of threat occurrence
- Potential impact of threat
- Risk level
- Periodic review
