Episode 13: What is a HIPAA Risk Analysis
Help Me With HIPAA
English - August 07, 2015 10:30 - 35 minutes - 48.9 MB - ★★★★★ - 61 ratingsBusiness Technology hipaa businessassociate coveredentity privacy security Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Description
What a HIPAA Risk Analysis includes and why you need it for your cybersecurity risk management.
Glossary
CReMaT'ed - Create, Receive, Maintain, Transmit
CIA - Confidentiality, Integrity, Availability
Links
Training Documentation for this episode
Notes
Not a simple checklist it requires a lot of thought, data collection, and analysis.
The analysis part
Define where e-PHI is CReMaT'ed in your organization.
Not just the server that holds the EMR.
Cloud apps used, messaging tools, mobile devices, USB storage devices, home computers
Practice Management system and data analysis tools
Don't forget to include downloads folders and temp folders on all PCs.
Do you need to worry about vendors or consultants - your BAs that may move data around your network, systems, etc.
If they handle it for you do you even know where it is going?
What are the threats to the CIA of the PHI that you have located and identified above?
Human
Natural
Environmental
What would be the impact to your business if the threat did act against your PHI?
Would it be a bump in the road or a sinkhole?
What is the likelihood this threat will actually act against your PHI?
Very likely down to not likely at all
With all this considered what level risk do you think this threat creates to your PHI?
High, Medium, or Low
Based on everything you know then you decide what you are going to do about the threat and the risk it presents?
Accept the risk is just part of doing business
Address the risk with some type of safeguards in your organization
Outsource the risk by hiring another company to handle managing it for you
The assessment part
At this point, you review that plan you have just made to address risks against what you are actually doing
Are doing everything you can to protect the PHI and meet your obligations under HIPAA laws from all those threats?
If you are outsourcing threat management, have you made sure your BAAs are in order?
If you are handling it internally do you have all the written policies and procedures
Is your staff trained to respond accordingly?
Once you complete that process you draw up your final report on what was determined during your analysis and assessment.
What actions need to take place to address those threats and what priority should be applied to them?
This is your full analysis and assessment report that you will use to inform your decision making process for your security policies and procedures.
It is also the report you will review and update on a regular basis. Sometimes minor updates are needed but other times you will need to do most of the whole thing over if there is a major change in your business.