Thursday, October 9, 2014

The HIPAA Risk Assessment

By: Phyllis Drummond, Risk Management Specialist NORCAL Mutual Meaningful use.

The Affordable Care Act. Laws and regulations continue to mount as clinical and administrative mandates multiply. Most recently, the Department of Health and Human Services (DHHS) unveiled additional requirements to existing HIPAA Privacy and Security Rules. Within this regulatory environment, it is important that providers are able to create and follow processes for investigation of possible breaches, and that they develop a breach notification policy.

In order to facilitate compliance with the HIPAA Security Rule, the DHHS has supplied education and assessment resources for covered entities. These can be found in various locations, including the DHHS website: (accessed 3/4/14)

Guidance on preparing for, and conducting a risk assessment can be found at:

The HIPAA Privacy Risk Assessment

In the broadest sense, the risk assessment is an evaluation of the potential risks associated with how an organization collects, manages, uses and discloses its protected health information (PHI). Gap analysis refers to evaluating the organization's information-handling practices in light of the requirements of HIPAA, as well as identifying gaps between current and required practices . Covered entities are required by the HIPAA Security Rule to complete a risk assessment and to create a HIPAA Security Rule Risk Management Program based on their findings.

Conducting an analysis helps covered entities identify potential weaknesses in their privacy and security practices that can subject them to breaches in patient confidentiality or invasions of privacy. Gaps in systems and processes can lead to unintended release of PHI, loss of vital data, or inappropriate alteration of data. Finding these gaps and addressing them will help mitigate liability risk for patient confidentiality breaches, as well as assure that the organization is maintaining compliance with HIPAA and HITECH regulations. Avoidance of increasing fines associated with many breaches is also top of mind when addressing gaps.

Covered entities may choose to conduct their own risk assessment. They know their systems and processes best and usually have the in-house expertise and experience to conduct such an assessment. One individual, such as the Compliance Officer, the Chief Information Officer (CIO), or the Information Technology (IT) Director, can do this. A team approach, often found to be more comprehensive, may include the organization's Risk Manager. It may also include department heads such as directors of Health Information Management, Pharmacy and Lab Services, Clinic or Practice Manager, and/or other key personnel whose responsibilities include managing patient information.

Covered entities may wish to hire a professional with expertise in laws and regulations pertaining to privacy and security practices. This will ensure an objective point of view and will add insight not readily available within a covered entity. Many consultants and vendors can be found with a simple online search. The covered entity might conduct a HIPAA-specific analysis, primarily to meet the analysis requirements, or may wish to take a broader approach and also assess the organization's vulnerability and system weaknesses not addressed by HIPAA requirements.

According to the American Health Information Management Association (AHIMA), some of the goals for an information management assessment (HIPAA and broader) may include: 

  • Identify all areas of noncompliance with HIPAA requirements (technical, procedural, training, administrative, etc.—This is known as gap analysis) 
  • Evaluate weaknesses that have led to past breaches of confidentiality, as documented through claims, lawsuits, occurrence or incident reports, and patient and family complaints or concerns 
  • Identify computerized and paper-based health information system vulnerabilities beyond the scope of HIPAA; e.g. licensing violations, cultural factors predisposing the system to problems, etc.
  • Establish an up-to-date inventory of all hardware and software resources 
  • Map the internal and external flow of protected health information

More information may be found at the AHIMA website: , (accessed 3/4/14)

AHIMA recommends evaluating various approaches to the privacy and security risk assessment, and determining what is likely to work best in your organization. Numerous web-based resources are provided in the article referenced above. These resources include sample checklists and tools for conducting an internal privacy risk assessment.

The Department of Health and Human Services website offers a 7-part series on HIPAA Security, beginning with a primer on HIPAA security for covered entities. The series includes detailed information on administrative, physical and technical safeguards. It also stipulates requirements for organizational policies and procedures related to privacy and security, as well as an entire chapter on the basics of risk analysis and risk management. These resources can be found at:

A variety of sample assessment tools can also be found at the following resources:

• ECRI Healthcare Risk Control:


How Can NORCAL Mutual support your practice’s ability to manage risk in the areas of privacy and security?

We can offer advice to policyholders on practices or policies that may impact the security of their patients' protected health information.

In the event of a possible breach, NORCAL Mutual can provide assistance on how best to handle the situation, as well as information regarding the prevention of future breaches.

Cyber Liability: Reminder

NORCAL Mutual provides cyber liability coverage. For details on this coverage, contact NORCAL Mutual or your agent/broker. To discuss risk management concerns regarding privacy and/or security, call our Risk Management department at 855.882.3412 To report a potential breach, call our Claims department at 844.4NORCAL

To discuss risk management concerns regarding privacy and/or security, call our Risk Management department at 855.882.3412

To report a potential breach, call our Claims department at 844.4NORCAL  

Copyright 2014 NORCAL Mutual Insurance Company. All rights reserved. This material is intended for reproduction in the publications of NORCAL-approved producers and sponsoring medical societies that have been granted prior written permission. No part of this publication may be otherwise reproduced, edited or modified without the prior written permission of NORCAL. For permission requests, contact: Jo Townson at (855)882-3412, ext. 2270.


The information contained in this document is intended as risk management advice. It does not constitute a legal opinion, nor is it a substitute for legal advice. Legal inquiries about topics covered in this document should be directed to an attorney. Recommendations contained in this document are not intended to determine the standard of care, but are provided as risk management advice. Recommendations presented should not be considered inclusive of all appropriate risk management strategies or exclusive of other strategies reasonably directed to obtain the same results. The ultimate judgment regarding the propriety of any specific procedure must be made by the individual physician/healthcare provider in light of the individual circumstances presented by the patient.



No comments:

Post a Comment