7/27/2019 HIPPA Risk Analysis

1/2

HIPAA Risk Analysis:

Understanding the Requirement

The Department of Health and Human Services (HHS) requires organizations to

conduct a risk analysis as the first step toward implementing safeguards specified in

the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The

purpose of this step is to ensure that management has developed a systematic

process to identify and understand the risks associated with the electronic protected

health information (ePHI) that they store, process and transmit.

While this appears relatively straightforward, the majority of health care

organizations have not completed a true risk assessment. HHS defines a risk

assessment as an assessment conducted in a formal manner that includes a

complete documentation of the process, a listing of identified threats and

vulnerabilities, the associated risk ratings and the subsequent actions to remediate

any identified deficiencies.

The HHS Security Standards Guide outlines nine mandatory components of a risk

analysis that healthcare and healthcare-related organizations must include in their

risk assessment document:

Scope of the Analysis

- The scope of the risk analysis includes all the people,

processes and technology that are involved in the creation, transmission,

maintenance and/or storage of ePHI.

Data Collection An organization must identify where data is being stored,received, maintained or transmitted. If your organization is hosting health

information at aHIPAA compliant data center, the organization will need to

contact their hosting provider to document where and how the data is

stored.

Identify and Document Potential Threats and Vulnerabilities Identify anddocument any reasonably anticipated threats to ePHI. Anticipating potential

HIPAA violations can help your organization quickly and effectively reach a

resolution.

Assess Current Security Measures

Inventory all of the existing securitycontrols implemented by the organization and determine how effective they

are in managing the threats and vulnerabilities identified in the previous

step.

Determine the Likelihood of Threat Occurrence For each threat event,

determine how likely the event is to occur relative to the organizations

specific circumstances.

Christopher J. McCarthy

Partner

cmccarthy@odpkf.com

914.341.7018

Keith Solomon

Partner

ksolomon@odpkf.com

914.341.7078

Thomas DeMayo

IT Manager

tdemayo@odpkf.com

212.867.8000

http://www.onlinetech.com/company/michigan-data-centers/compliance/hipaa-compliant-data-centershttp://www.onlinetech.com/company/michigan-data-centers/compliance/hipaa-compliant-data-centershttp://www.onlinetech.com/company/michigan-data-centers/compliance/hipaa-compliant-data-centershttp://resource.onlinetech.com/2011-hipaa-violations-and-audits/http://resource.onlinetech.com/2011-hipaa-violations-and-audits/mailto:cmccarthy@odpkf.commailto:cmccarthy@odpkf.commailto:ksolomon@odpkf.commailto:ksolomon@odpkf.commailto:tdemayo@odpkf.commailto:tdemayo@odpkf.commailto:tdemayo@odpkf.commailto:ksolomon@odpkf.commailto:cmccarthy@odpkf.comhttp://resource.onlinetech.com/2011-hipaa-violations-and-audits/http://www.onlinetech.com/company/michigan-data-centers/compliance/hipaa-compliant-data-centers

7/27/2019 HIPPA Risk Analysis

2/2

Determine the Potential Impact of Threat Occurrence

By using either

qualitative or quantitative methods, assess the maximum impact that a data

threat would have on your organization. How many people could be

affected? What extent of private data could be exposed just medical

records, or both health information and billing information combined?

Determine the Level of Risk

Combine the likelihood of the occurrence with

the potential impact to determine the ultimate risk level. Documented risklevels should be accompanied by a list of corrective actions that would be

performed to mitigate risk, should the resulting risk be too high.

Finalize Documentation

Write everything up in an organized document

HHS does not specify a specific format, but they do require the analysis in

writing.

Periodic Review and Updates to the Risk Assessment It is important to

ensure that the risk analysis process is ongoing one requirement includes

conducting a risk analysis on a regular basis. While the Security Rule does not

set a required timeline, we advise our clients to update their risk analysis ona yearly basis and to conduct another risk analysis whenever the

organization implements or plans to adopt new technology or business

operations.

With the permanent HIPAA audit program expected to become effective sometime

after the 2014 fiscal year, it is important to evaluate your risk assessment program

timely. If you are uncertain whether or not your current risk assessment process is

satisfactory or would like assistance on conducting a risk assessment, please contact

Thomas DeMayo at tdemayo@odpkf.com, Christopher J. McCarthy at

cmccarthy@odpkf.comor Keith Solomon at ksolomon@odpkf.com

About Our Practice:

.

O'Connor Davies, LLP is a full service Certified Public Accounting and consulting firm that has a long

history of serving clients both domestically and internationally and providing specialized professional

services of the highest quality. With roots tracing to 1891, seven offices located in New York, New

Jersey and Connecticut, and approximately 400 professionals including 70 partners, the Firm provides a

complete range of accounting, auditing, tax and management advisory services. OConnor Davies is

ranked as number 36 inAccounting Today's 2013 "Top 100 Firms" in the United States. The Firm is also

within the 20 largest accounting firms in the New York Metropolitan area according to Crain's New York

Business and the Westchester and Fairfield County Business Journals.

OConnor Davies, LLP is a member firm of the PKF International Limited network of legally independent

firms and does not accept any responsibility or liability for the actions or inactions on the part of any

other individual member firm or firms.

IRS CIRCULAR 230 DISCLOSURE: To comply with IRS regulations, we are required to inform you that

unless expressly stated otherwise, any discussion of U.S. federal tax issues in this correspondence

(including any attachments) is not intended or written to be used, and cannot be used, (i) to avoid any

penalties imposed under the Internal Revenue Code, or (ii) to promote, market, or recommend to

another party any transaction or matter addressed herein. Our firm provides the information in this e-

newsletter for general guidance only, and it does not constitute the provision of legal advice, tax advice,

accounting services, investment advice, or professional consulting of any kind.

Contact:

New York, NY(midtown)

212.286.2600

New York, NY

(downtown)

212.867.8000

Harrison, NY

914.381.8900

Stamford, CT

203.323.2400

Paramus, NJ

201.712.9800

New Windsor, NY

845.220.2400

Wethersfield, CT

860.257.1870

http://odmd_ha/data/Firm%20Marketing/Marketing%20Database%20-%20CCH/BizActions/ARTICLES/Health%20Care/Increased%20Scrutiny%20Over%20HIPAA%20Compliance%20Ahead%20as%20the%20Deadlines%20for%20the%20Enforcement%20of%20the%20HIPPA%20Omnibus%20Rules%20Approaches/tdemayo@odpkf.comhttp://odmd_ha/data/Firm%20Marketing/Marketing%20Database%20-%20CCH/BizActions/ARTICLES/Health%20Care/Increased%20Scrutiny%20Over%20HIPAA%20Compliance%20Ahead%20as%20the%20Deadlines%20for%20the%20Enforcement%20of%20the%20HIPPA%20Omnibus%20Rules%20Approaches/tdemayo@odpkf.commailto:cmccarthy@odpkf.commailto:cmccarthy@odpkf.commailto:ksolomon@odpkf.commailto:ksolomon@odpkf.commailto:ksolomon@odpkf.commailto:cmccarthy@odpkf.comhttp://odmd_ha/data/Firm%20Marketing/Marketing%20Database%20-%20CCH/BizActions/ARTICLES/Health%20Care/Increased%20Scrutiny%20Over%20HIPAA%20Compliance%20Ahead%20as%20the%20Deadlines%20for%20the%20Enforcement%20of%20the%20HIPPA%20Omnibus%20Rules%20Approaches/tdemayo@odpkf.com