Clients frequently ask the question,

“How often should I perform a security risk analysis as a covered entity under HIPAA?”

While the HIPAA security rule does not require a security risk assessment to be performed within a certain timeframe, it does state that the risk analysis process should be ongoing and continuous. Similarly, the Quality Payment Program (for covered entities accepting Medicare) does evaluate if an organization has performed a security risk analysis within a 12 month period (January through December) as a required measure.Simply put, a security risk analysis should be performed at least annually for covered entities accepting Medicare and when changes occur for covered entities under HIPAA. The security risk analysis should drive the IT security plan for the organization. It should not only point out gaps between the organization’s security procedures and HIPAA security standards, but also account for current vulnerabilities and threats that an organization faces. Current topics relating to security vulnerabilities and threats may include:

  • Risk of an insider threat maliciously or mistakenly using or disclosing protected health information (PHI)
  • Risk of using software with known (or unknown) vulnerabilities
  • Risk of ransomware as new variants emerge frequently
  • Risk of a third party’s inadequate security procedures to your organization’s ePHI

Benefits of a security risk analysis outside of identifying security vulnerabilities include:

  • Justification of budget allocation towards information security
  • Prioritization and planning of how one can minimize identified security risks
  • Provides recommended strategies to minimize identified risks

A security risk analysis is vital to an organization’s IT security plan as it is the best way to assess security gaps with HIPAA security requirements and industry best practices. Performing a security risk analysis on an annual basis, at least, will be extremely beneficial in setting the tone for the IT security plan. An annual security risk analysis is a great tool for showing evidence of how a covered entity’s security posture matures overtime and adapts to current security risks and trends.