What's Inside
Learn about the key HIPAA best practices for organizations of all sizes to identify, assess, and protect personal health information (PHI) in line with legal requirements.
HIPAA Risk Assessment Checklist: Best Practices
Get Started With Drata
Contents
Summary of Key HIPAA Best PracticesIdentify, Locate, and Document PHICheck for Scope CompletenessAssess Security and Privacy Policies and ProceduresChoose a Risk Assessment MethodologyAssess People, Processes, and TechnologyReport Findings and RecommendationsCreate a Continuous Compliance ProcessExplore Automation of your HIPAA Compliance Activities
If your organization handles protected/personal health information (PHI), you're legally required to protect the data in line with the Healthcare Insurance Portability and Accountability Act (HIPAA). There are guides across the Internet from specialized providers, but few sites break HIPAA requirements down into the manageable ideas needed for providers without a great deal of IT knowledge. This best practices article walks you through the process at a high level, recommending organization and flow for your activities.
Some of the key actions:
Identify and document all forms of PHI within your organization.
Assess people, processes, and technologies involved in handling PHI.
Choose and combine appropriate risk assessment methodologies.
Implement findings and recommendations for continuous compliance.
The principles and practices for creating a checklist here apply to organizations of all sizes, but they are manageable by even the smallest covered entity. Implement these best practices to mitigate risks to your patient data, ensure HIPAA compliance, and protect your organization from the extraordinary cost of noncompliance.
Summary of Key HIPAA Best Practices
Best Practice | Description |
Identify, locate, and document personal health information (PHI) and its uses. | Find and document the lifecycle of your PHI, from its collection to its eventual deletion. Don’t forget that verbal transmission—in person or over the phone—is included! |
Check for scope completeness. | Determine whether assets and data flows for PHI are fully documented and considered in assessments. |
Assess security and privacy policies and procedures. | Review whether applicable policies and procedures reflect appropriate handling of PHI. |
Choose a risk assessment methodology. | Combine assessment methodologies suitable for your organization’s size and procedures, such as combined asset-based and qualitative assessment. |
Assess people, processes, and technology. | Observe compliance with PHI policies and procedures as well as technical configurations. |
Report findings and recommendations. | Document both compliant areas and opportunities for improvement. Provide qualitative analysis of the risks to the organization and PHI owners. |
Create a continuous compliance process. | Support ongoing compliance with risk management lifecycles and the creation of new documentation as processes change. |
Explore automation of your HIPAA compliance activities. | Determine the potential to improve compliance with HIPAA and HITECH through automated assessments, evidence collection, and reporting. |
Identify, Locate, and Document PHI
Personal health information (PHI) refers not just to the contents of medical charts or insurance records. It encompasses a wide range of data that can identify you and relate to your past, present, or future physical or mental health, as well as the healthcare services you've received.
Identifying PHI requires scrutiny of any potential media in which health information may be created or retained. Medical diagnoses, lab results, and insurance claims content are obvious PHI, but other unique identifiers such as assigned medical record numbers, patient email addresses, and payment account numbers may also qualify when used in a healthcare setting. Identifying PHI used by your organization requires a thorough review of all interactions with healthcare providers and organizations.
Check for Scope Completeness
This includes paper and digital records that may be overcooked, such as billing statements and recorded telephone messages that the patient leaves for the provider. Comprehensive documentation must include all forms of PHI your organization handles, whether physical or electronic, and records of information shared by other entities that create and handle this data.
Locating stored PHI means finding all instances of these records—handwritten and electronic health records, medical charts, prescription information, health insurance provider claims information—even post-it notes that contain patient health information —and conversations with healthcare providers in person or over the phone. PHI should be typically retained for a specific period determined by legal requirements and organizational policies. After this retention period, PHI should be securely deleted or destroyed to prevent unauthorized access.
Once you have identified all of the places your organization stores PHI and the formats used, you must create a system to document that information. Develop a structured documentation system to map out all the factors in its reception, uses, and disposal: where the PHI is stored, who has access to it, and how it may be transmitted. This record must be reviewed regularly and updated whenever your processes change.
Assess Security and Privacy Policies and Procedures
After you have discovered and documented where your PHI exists, your HIPAA checklist should include criteria to examine security and privacy policies and procedures. Here, you must take a critical view of whether your practices and requirements are aligned with HIPAA requirements.
Policies and procedures for the protection of PHI must be in writing. The procedures must follow the policies without exception, and they should be reviewed and updated when there are changes. Any informal policies and procedures must be documented, and any procedures that do not meet policies must be changed to align.
Policies and procedures do not have to be complicated or long, but they must be specific. Policies should express the actions that are allowed and which actions are not suitable to protect PHI. Procedures should describe how actions are carried out and who is allowed to perform those actions.
Policies and procedures are unlikely to align with all HIPAA requirements the first time you review them. Add an item to your checklist to correct those policies and procedures that do not adequately protect PHI. You will need another checklist item to review the changed policies and procedures with those who are affected.
Choose a Risk Assessment Methodology
Your HIPAA checklist should include the determination of a risk assessment methodology suitable for your environment. There is no one-size-fits-all approach for identifying the proper risk assessment methodology for your organization: You should choose a risk assessment methodology based on your capability to explicitly determine and express risk. You may also choose a methodology based on how the responsible parties in your organization will best process and judge remediation needs for HIPAA compliance.
If you have a small organization, your baseline might be a simple, streamlined qualitative assessment. This assessment can rate the overall risk of a process or technology in terms such as high, moderate, or low. A simple qualitative rating does not lower the value of the risk assessment; while it is not highly detailed, this may be enough information for the responsible parties to prioritize improvements.
A quantitative risk assessment might be used in larger organizations or those with complex data environments. Quantitative risk assessments assign numerical values to risks, allowing the organization to easily prioritize the required changes. They may also assign values such as costs and effort or timelines for the remediation of risks, which help the responsible parties understand the effort needed to mitigate risks.
Assess People, Processes, and Technology
Once you have settled upon a risk assessment methodology, you can construct the risk assessment criteria for your HIPAA checklist. You know where the data is, and you know how to express risks when they are found—now you can begin an assessment of how the data is accessed, managed, and protected. To do that, you need to look at who can access data, how data is treated, and the technology around the data handling.
People
An unarguable requirement for HIPAA compliance is that data should be available only to those people and organizations with a legitimate business need. To comply, you must identify all personnel who handle PHI and why they need access to it. Once you have determined the right people and partners for access, remove all other potential methods of access to the data.
Compliance with HIPAA also requires people with access to understand their obligations to protect PHI. Your checklist must include regular education, but it should also provide for reviews if there are noted issues in data handling. Anyone with access to PHI should receive training on data privacy and handling requirements before receiving access. Conduct annual refresher training sessions to ensure adherence to HIPAA standards and proper handling practices.
Processes
Evaluate the workflows that involve PHI. First, you might simply ensure that each process complies with HIPAA regulations. For those processes that do not align, revise them to ensure compliance. Next, determine if data handling and movement are necessary, and schedule regular reassessments to ensure that no processes have changed or become obsolete. Finally, review whether changes to processes are possible to still conduct operations but minimize unnecessary access and reduce risk.
Technology
Review the technological infrastructure that stores and transmits PHI. Your checklist must include security measures to detect and protect against unauthorized access. Information systems that process or store PHI must maintain both malware protection and software security patch updates so that the systems are not easily compromised. Proper HIPAA security also requires data to be encrypted in storage and in transit so that if data is lost or stolen, it is not easily altered or accessed.
Establish audit controls that track access and modifications to PHI, and regularly review the logs of access attempts and changes that have been made. The systems should have login protections such as passwords and PINs that are not easily guessed, and accounts must each belong to a single identified person. These controls not only protect the information but also allow better identification of any security issues that occur.
Report Findings and Recommendations
A comprehensive report details findings from the assessment and will provide actionable recommendations for improvement. This report identifies vulnerabilities, expresses risk, and guides the organization in preparing for remediation.
Here are the key components of the report:
Executive Summary: A concise overview of the assessment's scope, methodology, key findings, and high-level recommendations. This section should be easily digestible for non-technical stakeholders.
Detailed Findings: A thorough breakdown of the assessment's results organized by the areas evaluated (e.g., policies and procedures, technical safeguards, and physical security). Each finding should include these elements:
Description: A clear explanation of the issue or observation
Risk Level: A qualitative or quantitative assessment of the risk posed by the finding (e.g., high, medium, low)
Impact: A description of the potential consequences of the finding, including financial, operational, reputational, and legal implications
Recommendation: Specific, actionable steps to address the finding and mitigate the associated risk
Prioritization: A ranking of the finding and recommendations based on its level of risk and potential impact
Remediation Plan: A detailed plan outlining the steps to address the identified vulnerabilities and implement the recommendations, including timelines, responsible parties, and resource allocation
Compliance Status: A summary of the organization's overall compliance status with HIPAA regulations. This should highlight areas where the organization is compliant and areas where improvement is needed.
Qualitative or Quantitative Risk Analysis: A narrative analysis of the risks faced by the organization and PHI owners. Consider discussing:
The types of PHI involved and their sensitivity.
The potential harm to individuals if their PHI is compromised.
The financial and reputational damage that a breach could cause the organization.
The legal and regulatory penalties for noncompliance.
Create a Continuous Compliance Process
HIPAA compliance is not a point-in-time event. Risk management and compliance are ongoing activities that you will need to maintain and repeat to identify and correct divergence from expectations.
Checklist activities for continuous compliance should include the creation of a calendar for policy reviews, employee refresher training sessions, vulnerability scans, and repeat audits. You should establish a process for change management and approval and treat this process like those described above: Ensure that it aligns with policy and that it is known and followed. Track changes in your compliance and regularly report these metrics to the persons responsible for compliance and mitigation activities.
The continuous compliance checklist items, and others that are appropriate to your organization, are necessary to maintain your initial efforts to comply with HIPAA. These activities must become ingrained in the organization’s behaviors so that HIPAA compliance is not a periodic concern. Every activity that includes PHI must align with the accepted procedures for the enterprise so that the organization continues to improve in its behaviors and lower the overall risk to the PHI subjects.
Explore Automation of your HIPAA Compliance Activities
The checklist items you have created probably demonstrate the enormous scope of HIPAA compliance activities and the amount of labor that goes into risk assessment, reporting, and maintaining a compliant organization. Automation is a powerful tool for streamlining and enhancing compliance efforts. Organizations that leverage automation for HIPAA risk assessments will significantly improve their compliance with HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) Act regulations, reduce manual effort, and gain better insights into their security postures.
Automated tools are available to guide you through a structured risk assessment process and ensure that all required elements are covered. They can also generate detailed reports that highlight findings, risks, and recommendations. This saves a significant amount of work in compiling the report.
The upfront investment in automation tools could be significantly outweighed by the long-term benefits of reduced labor costs, fewer audit findings, and, ultimately, lower risk of breaches due to mistakes in the audit and remediation activities. This can free you up to focus on other important aspects of compliance, such as training, policy development, remediation, and incident response.
HIPAA compliance assessment, training, and reporting constitute a great deal of ongoing work for any organization that deals in PHI. The burden of ongoing compliance is smaller once an assessment structure is in place and remediation is finished. However, this is not an easy job for an experienced security and compliance professional, let alone someone tasked with compliance as a side to their daily work. If you do not use an automated solution, you should consider adding technology to support your efforts toward HIPAA compliance.
