HIPAA Risk Assessment
An organization’s creation, receipt, maintenance, or transmission of any protected health information (PHI) is subject to potential risks and vulnerabilities, which are the focus of a HIPAA risk assessment.
Because covered businesses and business partners differ in size, complexity, and skills, the U.S. Department of Health & Human Services (HHS) does not establish a specific risk analysis approach. HHS advises that to achieve the goal of a HIPAA risk assessment, a company should:
- Determine the locations of PHI used for storage, receipt, maintenance, or transmission. Identify and record potential threats and vulnerabilities.
- Examine the security procedures in place now to protect PHI.
- Examine how well the current security measures are being used.
- Analyze the possibility of a threat that was conceivably foreseeable and the probable effects of a PHI breach.
- Give combinations of vulnerabilities and impacts a risk rating.
- Keep track of the evaluation and take appropriate action.
HIPAA risk assessments must be periodically reviewed when establishing new work processes or adding new technology.