HIPAA Security risk assessments

---

 A HIPAA Security Risk Assessment is a regulatory requirement for HIPAA Covered Entity healthcare organizations and Business Associates who must comply with the security management process of the Security Rule. 

The Security Rule was established to ensure that appropriate administrative, physical, and technical safeguards are implemented to secure electronic protected health information (ePHI). 

All ePHI that is created, maintained, transferred, or received by an organization must comply with HIPAA Security Rule standards. The Security Rule requires organizations to evaluate their risks and vulnerabilities and to invoke reasonable security measures to protect against potential threats to ePHI.

The Security Rule does not provide a specific procedure to perform HIPAA Risk Assessments, but it does indicate several objectives that any HIPAA Security Risk Assessment must meet. Those objectives include:

• Identification of vulnerabilities
• Understanding of potential reasonable threats
• Identification of risks
• Assessment of current security measures
• Documentation of HIPAA Security Risk Assessment performed

Objectives are consistently reviewed to incorporate any new regulation requirements.

Colington Consulting provides comprehensive HIPAA compliance services, including HIPAA Security Risk Assessments. In 2020, we were named one of the Top 10 HIPAA Consulting companies by Atlantic.net. 

Colington Consulting has more than 60 years combined experience in law enforcement, regulatory compliance, inspections, facility security, risk mitigation, healthcare policy writing, healthcare solutions architecture, data flow analysis, and health information privacy requirements. We have conducted hundreds of HIPAA risk assessments for all types of organizations.  

A HIPAA Security Risk Assessment performed by Colington Consulting integrates security standards, implementation specifications, and other regulatory requirements found in following:

• Code of Federal Regulations (CFR) 
• HITECH Act of 2009
• HIPAA Omnibus Rule
• Applicable parts of National Institute of Standards and Technology (NIST) SP800 series requirements

We ensure that our team keeps up to date with changes in HIPAA regulations and consistently reviews our processes to ensure we continue to comply with any new legal updates.

HIPAA Risk Assessments performed by Colington Consulting determine non-compliance issues and will review, evaluate, and document current business processes that affect ePHI. Our process will address the following for your organization:

Scope

The scope of the analysis defines the risks and vulnerabilities that could potentially affect the confidentiality, availability, and integrity of all ePHI that a business or organization creates, receives, maintains, or transmits.

Data is considered in all possible formats, including hard drives, removable media storage devices, transmission media, cloud storage, or portable electronic media. All ePHI is considered without regard to where the electronic medium used to transmit or store the ePHI is located.

Data Collection

Colington Consulting will work with the staff of the organization to determine where all endpoints where ePHI exists. To ensure a full assessment of data collection, Colington will interview staff members, review past and current documentation, and utilize other data gathering techniques. 

All information gathered through these methods will be evidence based documentation, as required by the HIPAA Security Rule. 

Our procedures will ensure that we identify and document any reasonably anticipated threats to ePHI. We will also review your processes and systems for any threats that may be specific to your particular environment. 

Our documentation will set out the potential for inappropriate access to or disclosure of ePHI and indicate the severity of the outcome of such threats.

Our knowledgeable team will perform a full assessment of your organization’s current security measures in place to protect ePHI and ensure that they meet regulatory compliance requirements.

We understand that security measures vary across organizations. For example, smaller organizations typically have greater control over the operations of their environment and may require less effort to evaluate.

On the other hand, larger organizations may need to consider many more factors, simply by the size of the company and the e-PHI data that may occur in many different electronic mediums.

The HIPAA Security Rule requires that companies consider the probability of potential risks to ePHI. To conform with this regulation, Colington will determine a probability of a threat occurring indicated by the initial list of threats. 

Documentation will be provided that contains a list of all threat and vulnerability combinations with probability estimates that may pose a hazard to the confidentiality, availability, and integrity of ePHI of an organization.

Colington Consulting will thoroughly furnish documentation of the level of risk posed by each threat. Our process consists of analyzing the outputs indicated from the likelihood of a threat occurrence combined with the potential impact such a threat would have on your organization.

You will receive documentation of each indicated risk level and a full list of corrective actions, if needed, to be implemented to mitigate each risk level.

Our report will provide management and compliance officers with full documentation of HIPAA risk assessments performed for your organization that includes all required elements indicated by the HIPAA Security Rule 

 We don’t simply hand over a report and expect your organization to implement the recommended changes. Instead, we assist you with mitigating the risks and provide advice on how to implement the corrective items so that your organization is fully compliant.

The HIPAA Security Rule requires that organizations continually perform appropriate risk assessments on an ongoing basis.

While no definition is given as to the deadlines for such assessments to be performed, it is typical that most medium and large-sized organizations execute a risk assessment on a yearly basis. Smaller organizations may conduct them less frequently, such as on a bi-annual basis. As a best practice, we recommend assessments be conducted on a yearly basis.

While the risk analysis itself may be performed on a scheduled basis, changes that occur in an organization that may affect its security of ePHI should be considered individually, either before or right after such an event occurs. Potential changes in an organization that could result in a possible threat to ePHI include:

• Change in ownership
• Turnover of key staff or management
• A security incident that has recently occurred
• Incorporation of new technology

Any of these changes should be assessed on a one-off basis to ensure continued compliance with the HIPAA Security Rule.

If your organization is in possession of ePHI and does not adequately meet the requirements for HIPAA Risk Assessments set out by the HIPAA Security Rule, your organization could be subject to fines up to $1.5 million per violation. 

Several tiers are considered when calculating the fine potentially owed by a company that is non-compliant with the HIPAA Security Rule:

First Tier Penalty

In a first-tier penalty, the organization clearly did not know about the breach, nor could it have reasonably anticipated it. Fines range from $100 to $50,000 per incident up to a maximum of $1.5 million.

Second Tier Penalty

In this category, a company “knew, or by exercising reasonable diligence would have known” of the violation, though they did not act with willful neglect. Fines vary from $1,000 to $50,000 per incident, up to a maximum of $1.5 million.

Third Tier Penalty

A third-tier penalty occurs when an organization “acted with willful neglect” but corrected the problem within a 30-day time period. A third-tier penalty results in a $10,000 to $50,000 per incident, up to a maximum of $1.5 million.

Fourth Tier Penalty

The most serious of all penalties, a fourth-tier penalty occurs when a business “acts with willful neglect” and fails to make a timely correction. Fines will vary from $50,000 per incident up to $1.5 million.

Reportable breaches are occurring almost daily and are posted on the HHS website. Breaches vary by type, but the lack of an accurate and thorough HIPAA Risk Assessments can lead to possible fines and penalties. Over $143 million in fines have been issued to organizations for HIPAA violations in recent years.

Ensure That Your Organization Is Fully Compliant

Contact Colington Consulting today and allow our team of regulatory experts to assess your organization’s compliance with the HIPAA Security Rule and the risk assessment process. We will make all efforts to ensure your organization adheres to the specifications set out by the HIPAA Security Rule and its related legal standards.