What is Risk Management Under the HIPAA Security Rule?

Modified on Mon, 28 Jul at 11:28 AM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses the HIPAA Security Rule's risk management requirement. Risk management is the process of implementing security measures sufficient to reduce risks and vulnerabilities identified in the security risk analysis, to a reasonable and appropriate level.

What is the HIPAA Security Rule Security Management Process?


The HIPAA Security Rule has an administrative safeguard measure known as the "security management process" standard. Under this standard, covered entities and business associates  implement policies and procedures to prevent, detect, contain, and correct security violations. Implementing these policies and procedures helps to ensure the security of electronic protected health information (ePHI)

Under the security management process standard, covered entities and business associates are required to perform risk analysis and risk management (among other things). 

Under the risk analysis requirement, covered entities and business associates must "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

The information gathered during the risk analysis is then used to perform risk management.


What is HIPAA Risk Management?


Risk management is the process of implementing security measures sufficient to reduce risks and vulnerabilities identified in the security risk analysis, to a reasonable and appropriate level, to comply with the Security Rule's requirements to:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA Privacy Rule.

(4) Ensure compliance with this subpart by its workforce.


How Can Risk Management be Performed?


To understand what HIPAA risk management is, let’s look at and define three terms: vulnerabilities, threats, and risks.


Vulnerabilities are weaknesses or gaps in an organization’s security program that can be exploited to gain unauthorized access to ePHI. An example of a vulnerability is not having your data encrypted. 


Threats are things that can exploit these vulnerabilities and damage or destroy ePHI. Threats include malware, phishing schemes, and viruses.


Risk is the potential for damage or destruction to ePHI as a result of a threat exploiting a vulnerability


The three terms can now be put together in a single sentence: If your data is not encrypted (a vulnerability), there is a risk your ePHI may be damaged as a result of a malware attack (a threat).


How to Rank Risks

Every risk has both a probability and an impact. 


Risk probability is the chance of a risk occurring. Risk impact is the cost of a risk if it does occur.   

Take the example of attending a baseball game. A spectator at the game runs the risk that he or she will spill a soda that they purchased. The probability of the risk is not non-existent (especially if the soda-buyer is sitting in a full row and there is only a short distance between the person’s shoes and the end of the step the person is sitting on).


While the probability of the soda spilling isn’t insignificant (let’s call it 10%), the impact – the costs – are not that high. The person who bought the soda might want to purchase another, and someone (either a person, the cleaning crew, or sunshine) will most likely clean the spill. 


Let’s slightly change the facts. A foul ball strikes our soda-buyer, hitting him or her in the arm, and causing the soda to spill in the process. The probability of this chain of events actually occurring is pretty low – let’s say, less than one percent. The impact or cost, however, can be significant. As before, costs can include cleaning costs and the costs of a replacement soda. The costs in the foul ball victim hypothetical can be much greater. That person, as a result of being hit in the arm, may break his or her arm. The costs of a broken arm can include surgery and medication, and can also include intangible costs, such as pain and the inability to use the arm for a period of time.   


The risk analysis is a listing of likely and unlikely risks, with both high and low impacts. In the analysis, risks with both the highest probabilities AND the highest impact are ranked highest on the list, while risks with the lowest probabilities and impacts are ranked lowest (at the bottom).  Higher-ranked risks should be remediated first, and lower-ranked risks should be remediated after. 


What is a HIPAA Risk Management Plan?

A HIPAA risk management plan should contain a mitigation (or loss prevention) strategy for each item ranked on the list. A mitigation strategy is a series of steps designed to limit the probability and impact of the risk. If the risk to be guarded against is, for example, a malware attack, the analysis should contain steps designed to minimize the likelihood and impact of the attack.   


Once an organization develops a HIPAA risk management plan, the organization should share and review the plan with the appropriate employees, so that they will know what is required on their part to successfully implement the plan. The organization should also periodically review its HIPAA risk management plan to prevent the plan from becoming stale and not reflective of actual risks and costs.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article