HIPPA Risk Analysis
-
Upload
oconnor-davies -
Category
Documents
-
view
216 -
download
0
Transcript of HIPPA Risk Analysis
-
7/27/2019 HIPPA Risk Analysis
1/2
HIPAA Risk Analysis:
Understanding the Requirement
The Department of Health and Human Services (HHS) requires organizations to
conduct a risk analysis as the first step toward implementing safeguards specified in
the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The
purpose of this step is to ensure that management has developed a systematic
process to identify and understand the risks associated with the electronic protected
health information (ePHI) that they store, process and transmit.
While this appears relatively straightforward, the majority of health care
organizations have not completed a true risk assessment. HHS defines a risk
assessment as an assessment conducted in a formal manner that includes a
complete documentation of the process, a listing of identified threats and
vulnerabilities, the associated risk ratings and the subsequent actions to remediate
any identified deficiencies.
The HHS Security Standards Guide outlines nine mandatory components of a risk
analysis that healthcare and healthcare-related organizations must include in their
risk assessment document:
Scope of the Analysis
- The scope of the risk analysis includes all the people,
processes and technology that are involved in the creation, transmission,
maintenance and/or storage of ePHI.
Data Collection An organization must identify where data is being stored,received, maintained or transmitted. If your organization is hosting health
information at aHIPAA compliant data center, the organization will need to
contact their hosting provider to document where and how the data is
stored.
Identify and Document Potential Threats and Vulnerabilities Identify anddocument any reasonably anticipated threats to ePHI. Anticipating potential
HIPAA violations can help your organization quickly and effectively reach a
resolution.
Assess Current Security Measures
Inventory all of the existing securitycontrols implemented by the organization and determine how effective they
are in managing the threats and vulnerabilities identified in the previous
step.
Determine the Likelihood of Threat Occurrence For each threat event,
determine how likely the event is to occur relative to the organizations
specific circumstances.
Christopher J. McCarthy
Partner
914.341.7018
Keith Solomon
Partner
914.341.7078
Thomas DeMayo
IT Manager
212.867.8000
http://www.onlinetech.com/company/michigan-data-centers/compliance/hipaa-compliant-data-centershttp://www.onlinetech.com/company/michigan-data-centers/compliance/hipaa-compliant-data-centershttp://www.onlinetech.com/company/michigan-data-centers/compliance/hipaa-compliant-data-centershttp://resource.onlinetech.com/2011-hipaa-violations-and-audits/http://resource.onlinetech.com/2011-hipaa-violations-and-audits/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://resource.onlinetech.com/2011-hipaa-violations-and-audits/http://www.onlinetech.com/company/michigan-data-centers/compliance/hipaa-compliant-data-centers -
7/27/2019 HIPPA Risk Analysis
2/2
Determine the Potential Impact of Threat Occurrence
By using either
qualitative or quantitative methods, assess the maximum impact that a data
threat would have on your organization. How many people could be
affected? What extent of private data could be exposed just medical
records, or both health information and billing information combined?
Determine the Level of Risk
Combine the likelihood of the occurrence with
the potential impact to determine the ultimate risk level. Documented risklevels should be accompanied by a list of corrective actions that would be
performed to mitigate risk, should the resulting risk be too high.
Finalize Documentation
Write everything up in an organized document
HHS does not specify a specific format, but they do require the analysis in
writing.
Periodic Review and Updates to the Risk Assessment It is important to
ensure that the risk analysis process is ongoing one requirement includes
conducting a risk analysis on a regular basis. While the Security Rule does not
set a required timeline, we advise our clients to update their risk analysis ona yearly basis and to conduct another risk analysis whenever the
organization implements or plans to adopt new technology or business
operations.
With the permanent HIPAA audit program expected to become effective sometime
after the 2014 fiscal year, it is important to evaluate your risk assessment program
timely. If you are uncertain whether or not your current risk assessment process is
satisfactory or would like assistance on conducting a risk assessment, please contact
Thomas DeMayo at [email protected], Christopher J. McCarthy at
[email protected] Keith Solomon at [email protected]
About Our Practice:
.
O'Connor Davies, LLP is a full service Certified Public Accounting and consulting firm that has a long
history of serving clients both domestically and internationally and providing specialized professional
services of the highest quality. With roots tracing to 1891, seven offices located in New York, New
Jersey and Connecticut, and approximately 400 professionals including 70 partners, the Firm provides a
complete range of accounting, auditing, tax and management advisory services. OConnor Davies is
ranked as number 36 inAccounting Today's 2013 "Top 100 Firms" in the United States. The Firm is also
within the 20 largest accounting firms in the New York Metropolitan area according to Crain's New York
Business and the Westchester and Fairfield County Business Journals.
OConnor Davies, LLP is a member firm of the PKF International Limited network of legally independent
firms and does not accept any responsibility or liability for the actions or inactions on the part of any
other individual member firm or firms.
IRS CIRCULAR 230 DISCLOSURE: To comply with IRS regulations, we are required to inform you that
unless expressly stated otherwise, any discussion of U.S. federal tax issues in this correspondence
(including any attachments) is not intended or written to be used, and cannot be used, (i) to avoid any
penalties imposed under the Internal Revenue Code, or (ii) to promote, market, or recommend to
another party any transaction or matter addressed herein. Our firm provides the information in this e-
newsletter for general guidance only, and it does not constitute the provision of legal advice, tax advice,
accounting services, investment advice, or professional consulting of any kind.
Contact:
New York, NY(midtown)
212.286.2600
New York, NY
(downtown)
212.867.8000
Harrison, NY
914.381.8900
Stamford, CT
203.323.2400
Paramus, NJ
201.712.9800
New Windsor, NY
845.220.2400
Wethersfield, CT
860.257.1870
http://odmd_ha/data/Firm%20Marketing/Marketing%20Database%20-%20CCH/BizActions/ARTICLES/Health%20Care/Increased%20Scrutiny%20Over%20HIPAA%20Compliance%20Ahead%20as%20the%20Deadlines%20for%20the%20Enforcement%20of%20the%20HIPPA%20Omnibus%20Rules%20Approaches/[email protected]://odmd_ha/data/Firm%20Marketing/Marketing%20Database%20-%20CCH/BizActions/ARTICLES/Health%20Care/Increased%20Scrutiny%20Over%20HIPAA%20Compliance%20Ahead%20as%20the%20Deadlines%20for%20the%20Enforcement%20of%20the%20HIPPA%20Omnibus%20Rules%20Approaches/[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://odmd_ha/data/Firm%20Marketing/Marketing%20Database%20-%20CCH/BizActions/ARTICLES/Health%20Care/Increased%20Scrutiny%20Over%20HIPAA%20Compliance%20Ahead%20as%20the%20Deadlines%20for%20the%20Enforcement%20of%20the%20HIPPA%20Omnibus%20Rules%20Approaches/[email protected]