Making a risk assessment is the first step to getting HIPAA compliant.  

risk assessment, risk analysisSo you know you need to get compliant with HIPAA’s Security Rule, but you have one question in mind: where do you start? This is where the Risk Assessment comes into play.

What is a Risk Assessment?

A Risk Assessment, or Risk Analysis, is a process that assesses your organization’s potential vulnerabilities, threats, and risks to PHI. It’s the first step in the Security Rule compliance.
Contrary to popular belief, a HIPAA Risk Assessment and Risk Management Plan aren’t optional.
If you get audited by HHS, and you don’t have these plans, you could be subjected to some major fines.

Many organizations aren’t sure where to start when it comes to creating a Risk Assessment, but it’s easier than they may think. Here are 5 steps to create your own Risk Assessment and Risk Management Plan.

SEE ALSO: SecurityMetrics NIST 800-30 Risk Assessment

1. Map out your PHI flow

You can’t protect your PHI if you don’t know where it’s located. You need to know where your PHI is housed, transmitted, and stored. To do this, you should map out and create a diagram of your PHI flow. Some things to consider while doing this are:
  • Where PHI enters your entity
  • What happens to PHI in your system
  • Where PHI leaves your environment
  • Where potential leaks may be
SEE ALSO: PHI: It’s Literally Everywhere [Infographic]

2. Identify vulnerabilities, threats, and risks

You need to find problems that exist within your organization, specifically vulnerabilities, threats, and risks.

Vulnerabilities are holes in your security that could result in a security incident. Some examples of vulnerabilities include:
  • Unpatched operating system software
  • No office security policies
  • Misconfigured firewalls
  • Website coded incorrectly 
A threat is the potential for a person or thing to cause a vulnerability. Types of threats can range from human to environmental. Here are some examples of threats:
Risks are the probability that a threat will take advantage of a vulnerability and result in a security breach. According to HHS “risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.”

3. Analyze your risk level

You need to figure out what risks could impact your organization. By prioritizing these risks, you can determine what needs the most attention in your organization. When analyzing your risk level, consider the following:
  • Likelihood of happening: how much will this risk impact you? For example, a hurricane is less likely to impact organizations in Colorado versus organizations in Florida. 
  • Potential Impact: How would this risk affect your organization? For example, a computer screen accidently showing PHI may have less impact than malware attacking your WiFi. 
Each vulnerability and threat should be given a risk level, such as high, medium, and low. This helps you create a prioritized list of security issues.

4. Create your Risk Management Plan

You now have a list of potential risks to your company. Now you need to decide how to address these risks. This process consists of three main steps:
  1. Plan how to evaluate, prioritize, and implement security controls
  2. Implement security to address the greatest areas of risk first
  3. Test the security controls you’ve implemented, and watch out for new risks. 
By creating a Risk Management Plan, you show how you are handling these potential risks, and how you’re addressing security.

SEE ALSO: How Much Does a HIPAA Risk Management Plan Cost?

5. Documentation

This is the most important part of your Risk Assessment. If you don’t document these steps, you can’t prove to the HHS that you’ve done a Risk Assessment. Make sure you document these steps and the regular progress on addressing the risks you’ve identified.

SEE ALSO: How to Meet HIPAA Documentation Requirements

Making a Risk Assessment is a process, but it’s worth it to protect your organization. It’s the first step in securing your company, so make sure you do it right.

Need help with creating a Risk Assessment? Talk to one of our experts! 

hipaa learning center, SecurityMetrics