What Are My HIPAA Security Requirements?

A guide to help healthcare organizations understand the HIPAA Security Rule.

This article is an excerpt from our ebook, Diagnosing HIPAA Security. To download your free copy of the complete ebook, click here.

‍‘I know HIPAA is required, and I know it’s important, I just don’t know what exactly HIPAA requires me to do.’

Don’t feel bad if this statement sounds all too familiar. Many doctors, nurses, office managers, and healthcare professionals we talk to share the same confusion over HIPAA compliance. Unfortunately, noncompliance with the HIPAA standards puts organizations at greater risk now than ever before.

‍Risk Analysis

‍The HIPAA risk analysis is arguably the most important part of not only Security Rule compliance, but the entire HIPAA standard as well. The purpose of the risk analysis is to help covered entities identify (and document!) potential security risks (i.e. threats and vulnerabilities). Every security effort your organization makes will be determined by your risk analysis, so it’s critical to conduct a thorough and accurate assessment.

See also: What Are Addressable HIPAA Requirements?

‍While the HHS has no specified method of conducting a risk analysis, there are some generally accepted steps that outline the process.

Here is an example risk analysis process.

1. Identify the scope of the analysis
2. Gather data
3. Identify and document potential threats and vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Identify security measures and finalize documentation
   

There are several reasons why every covered entity should take the risk analysis very seriously. First (and most obvious), this process will help you identify your organization’s greatest areas of risk.

Second (not so obvious but equally important), in the event of a data breach or random audit, covered entities that have not conducted a thorough and accurate risk analysis can expect to be hit with severe financial penalties.

The HHS has stated on multiple occasions that they will make examples of healthcare organizations that put PHI at risk. Given the stated importance and heavy consequences associated with the risk analysis, you may want to consider working with a HIPAA security expert.

See also: SecurityMetrics HIPAA Guide‍

Risk Management

‍In the risk analysis you identified the threats and vulnerabilities that expose your organization to potential risk. Now it’s time to add in some protection.

See also: You May Not Be Done With HIPAA

‍Risk management is the second implementation specification of the Security Management Process. The risk management specification requires organizations to implement security controls that ‘reduce risks and vulnerabilities to a reasonable and appropriate level.'

There are many ways to approach risk management, but ultimately the process will consist of three main steps:

1. Develop and implement a risk management plan: Create a plan of attack for how you will evaluate, prioritize, and implement security controls.
2. Implement security controls: Begin your attack on risk. Implement security measures that address the greatest areas of risk. Prioritization will help you make the biggest impact on risk in the shortest amount of time.
3. Evaluate and maintain security controls: Evaluate the security controls you’ve implemented and be sure to keep an eye out for new areas of risk.

The HIPAA Security Rule requires you to ‘periodically’ complete the risk analysis and risk management process, so plan on a formal assessment at least once a year. Remember that as far as the HHS is concerned, if it’s not documented, it never happened. Thorough documentation of these processes will help you accurately evaluate risk, become more efficient in your assessments, and provide protection should the HHS show up on your doorstep for a random audit.