Include HIPAA Security Risk Assessments in 2022 Compliance Plans


Compliance & Risk Management

Cue champagne toasts, Auld Lang Syne, aspirations for a fresh start … and compliance work planning. Yep, must be the New Year!


Security Protection Laptop Photo

FSA wants to remind our communities that as compliance and ethics program planning takes shape for 2022, be sure to cover a crucial aspect: HIPAA Security risk assessments.

Performing periodic security risk assessments is integral to maintaining compliance with the HIPAA Security Rule, established by the Department of Health and Human Services (HHS) to safeguard the integrity of electronic protected health information (e-PHI).

Why HIPAA Security Assessments Are Important

HHS requires covered entities (CEs) to implement security measures for e-PHI. Especially in today’s environment, it’s critical for organizations to keep HIPAA Security Risk Assessments top of mind.

With more and more healthcare workers using personal devices for work tasks plus growth in telehealth services, the pandemic has created a window for cyber criminals, according to a report from CI Security. The report found that 21.3 million healthcare records were breached in the second half of 2020 – a 36% increase.

Protect residents from PHI breaches. A security breach resulting in stolen resident health records can lead to financial or medical identity theft. Medical identity theft can cause delays in treatment or misdiagnosis due to inaccuracies in health data caused by the breach.

Prevent financial penalties for noncompliance. According to HIPAA Journal, failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of e-PHI is one of the top violations resulting in financial penalties.

HHS recognizes that HIPAA compliance doesn’t mean data breaches will never occur. But it does hold healthcare organizations accountable for reducing that risk to an appropriate level, which means conducting periodic security risk assessments.

How often should CCRCs perform a HIPAA Security Assessment?

The Security Rule doesn’t set forth a specific cadence for risk assessments. Many CEs adhere to an annual assessment, which is generally viewed as a reasonable approach.  

If your organization undergoes any major changes that affect how e-PHI is stored or handled – e.g., opening a new location, introducing new work practices, or implementing new technology – it’s a good idea to conduct an additional assessment to identify any new vulnerabilities.

The NIST HSR Toolkit

FSA’s compliance specialists recommend having a third-party company complete a HIPAA security risk assessment every two to three years. In the intervening years, CEs should complete a self-assessment using a toolkit developed by the National Institute of Standards and Technology (NIST).

The NIST HIPAA Security Rule (HSR) toolkit is a desktop application with questions designed to help organizations understand areas of vulnerability regarding cybersecurity risks. Access it here.

What a HIPAA Security Assessment Should Cover

Recognizing that CEs vary greatly in size and complexity, HHS doesn’t require any specific methodology for a security assessment. However, HHS does set forth an objective: to identify potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that an organization creates, receives, maintains, or transmits.

With this in mind, HHS recommends that as part of a security assessment, CEs conduct a risk analysis that includes the following efforts:

  • Identify where the organization stores, receives, maintains and transmits e-PHI.
  • Identify and document potential threats and vulnerabilities to e-PHI.
  • Assess current security measures in place to safeguard e-PHI, and whether they’re being used properly.
  • Determine the likelihood of “reasonably anticipated” threat occurrence, documenting all potential threat and vulnerability combinations.
  • Determine and document the potential impact of an incident resulting from a threat tied to specific threats and vulnerabilities.
  • Assign risk levels for vulnerability and impact combinations identified in the risk analysis.
  • Document the assessment and list actions to be taken to mitigate each risk level.

For additional guidance, see FSA’s blog post on HIPAA rules for preventing security breaches. FSA participants can refer to the July 2021 Education Packet on responding to a HIPAA security breach. Not a participant? Get information on joining here.

Friends Services Alliance (FSA) is a national professional association of values-aligned organizations that serve seniors. Our support services include a team of Compliance and Risk Management experts who have supported organizations in developing and maintaining effective Compliance and Ethics Programs for over 20 years.