Ready, Set, Assess! An Action Plan for Conducting
a HIPAA Privacy Risk Assessment
by Gordon J. Apple, JD, and Mary D. Brandt, MBA,
Now that the privacy regulations are here to stay,
it’s time to conduct a HIPAA privacy risk assessment. Here’s a step-by-step
approach to planning and conducting an assessment for institutions of all
Given the complexity of the HIPAA privacy regulations
and the significant impact they will have on the way healthcare organizations
do business, now is the time for HIM professionals to determine what they
and their organizations need to do to comply. Regardless of any changes
that the Bush administration or others hope to make to the regulations,
the reality is that covered entities (CEs) should not delay in getting ready
for HIPAA. A key preliminary step toward the goal of implementation is conducting
a comprehensive HIPAA privacy risk assessment.
This article describes a phased risk-assessment approach
that institutions of any size can follow. Key benchmarks let you measure
where your organization stands and where it needs to go, and common-sense
tips for planning and conducting a risk assessment are provided.
Before You Start
It is difficult to begin the risk assessment process
without understanding the HIPAA lexicon and fundamental concepts. Accordingly,
before starting your HIPAA privacy risk assessment, review the regulations
generally, with an intensive review of five specific regulatory sections:
- §160.103 contains key definitions on the applicability
- §164.501 outlines definitions specifically related
to the privacy standards
- §164.502 sets forth "general rules" for
uses and disclosures of protected health information
- §164.514 contains specific requirements relating
to use and disclosure
- §164.530 outlines the administrative requirements
that CEs will have to meet
Once you have an understanding of these essential
components of the HIPAA structure, the remaining pieces of the jigsaw
puzzle should begin to fit into place. (See "A Closer
Look at the Regulations.")
Getting Your Privacy Risk Assessment Started
After a thorough review of the privacy regulations,
you are ready to begin your risk assessment.
The process begins with preliminary organizational
and educational tasks and concludes with a blueprint for the development
and implementation of a HIPAA privacy compliance program. This four-step
risk assessment process is inherently scalable.
Phase 1—The Right People
The privacy standards require CEs to designate a privacy
official or officer. The privacy officer will be responsible for the development
and implementation of the organization’s HIPAA privacy compliance efforts
and serve as the "brain trust" for institutional leaders and
Phase 1 Benchmarks
- designate privacy official
- educate and get buy-in of senior and middle
- appoint and hold initial meetings of privacy
Large organizations may have a full-time chief privacy
officer and numerous others at the entity or department level. A small
hospital or clinic may satisfy this requirement by bestowing the title
on its HIM director. The privacy official should be at a high level, credible,
and have a good understanding of patient data and how it is used throughout
Regardless of organizational size, the privacy official
needs to be the first person to get his or her arms around the general
requirements of HIPAA. This means developing a thorough understanding
of HIPAA’s notice and consent requirements, patient rights, and business
associate issues. In particular, the privacy official should strive to
gain an early "big-picture" view of what these various requirements
will mean to the organization.
Once educated, the privacy official should ensure
that upper and middle management are informed of basic HIPAA privacy requirements
and the proposed process that will be followed in development and implementation
of a compliance program. The ongoing support of top management in the
compliance process is essential.
Once the privacy officer has a better understanding
of the task at hand, a risk assessment team can be assembled. In larger
organizations, it is expected that the privacy officer will be supported
by the efforts of one or more HIPAA compliance committees that will also
participate in designation or approval of the risk assessment team.
The risk assessment team should include people familiar
with the basic flow of protected health information (PHI) in a variety
of areas, including but not limited to:
- clinical care (MDs, RNs, lab, and other ancillary
areas where data is used/disclosed)
- administrative transactions (patient registration
and appointments, fund raising, etc.)
- financial transactions (payment, health plan authorizations,
medical necessity reviews)
- research (institutional review board, research
- education (residents, etc.)
- public health (cancer registry, communicable disease
- general corporate (information technology, human
Phase 2—Conducting An Initial Risk Assessment
It is important to remember that the government recognizes
that one size does not fit all. The preamble to the final rule states:
Wherever possible, the final rule provides a covered
entity with flexibility to create policies and procedures that are best
suited to the entity’s current practices in order to comply with the standards,
implementation specifications, and requirements of the rule. This allows
the covered entity to assess its own needs in devising, implementing,
and maintaining appropriate privacy policies, procedures, and documentation
to address these regulatory requirements.
Phase 2 Benchmarks
- identify primary areas for review within
the framework of enumerated HIPAA requirements
- develop a Phase 2 work plan
- map the internal and external flow of PHI
- identify the technical infrastructure
- inventory existing policies and procedures
- prepare Phase 2 summary reports
In practical terms, this means that in individualizing
the risk assessment process for an organization, it is important to understand
just how big an organization is. If your organization operates in numerous
states and has an operating budget in the billions, then your risk assessment
process should be extensive and sophisticated. You’re likely to rely on
sophisticated information technology techniques in gathering and analyzing
risk assessment data. On the other end of the spectrum, if you work at
a small rural clinic, you will likely rely on doing what is quick, efficient,
This part of the risk assessment should be designed
to identify primary areas for review within the framework of the enumerated
HIPAA requirements. At this point, your goal is to come away with a big-picture
view of what is going on in the organization and how existing processes,
policies, and procedures roughly match up with HIPAA privacy requirements.
"Phase 2—Mapping Information
Flow," and "Key Phase 2 Tasks for Implementation,"
contain a listing of general Phase 2 tasks that are tied to or support
the implementation of key HIPAA requirements. The first task (and probably
one of the most challenging) is mapping the internal and external flows
The time and difficulty of this task will likely be
a function of an organization’s size and complexity. The remaining tasks
involve identification of the technical infrastructure and the inventory
of existing polices and procedures.
The goal for all Phase 2 tasks is the development
of summary documents that tell an organization what appears to be going
on and the development of checklists that can be used in Phase 3 for department-level
reviews and the eventual gap analysis.
The privacy officer and the privacy committee (if
there is one) should oversee this initial data/information-gathering process.
Then, develop a work plan that addresses who is responsible for conducting
each element of the Phase 2 analysis, the expected work product, and the
timeline for completion. Consider doing a test run to determine the most
effective way to gather the Phase 2 data. An initial beta test will allow
you to modify the process to fit institutional needs and quirks. Obviously,
some tasks will be difficult, depending on the size of an organization.
The Phase 2 summary reports should be shared with
both upper-level and line management to discover if anything significant
has been missed. After filling in the initial assessment gaps, the organization
can then proceed with the development of department-level risk assessment
checklists/forms (tools). Adopt a consistent and uniform analytical approach
for each area in a facility or department that merits review.
Phase 3—The Next Level
In Phase 3, the risk assessment should move from the
macro-organizational level to the micro-departmental level. With the data
gained through the Phase 2 analysis, CEs will be able to develop uniform
assessment tools that department administrators can use to gather detailed
data. The Phase 3 timeline should be relatively short if you have developed
easily understood assessment tools. For a sample department-level assessment
tool designed to track the flow of PHI, go to AHIMA’s Web site at www.ahima.org.
Click "Ready Resources," then "Journal of AHIMA."
Select "Feature Articles" and then select this article. Look
for a link to this tool in the online version of this article.
The goal of the Phase 3 analysis should be a report
that clearly identifies existing PHI data practices across the spectrum
of organizational activities. This "gap analysis" report should
contain an inventory of existing policies and procedures and a chart that
compares existing practices to those required under HIPAA. The report
should contain an inventory of IT/IS equipment and practices used in the
capture, storage, and transmission of PHI. Finally, the report needs to
provide an easily understood set of maps that present PHI flow.
Phase 3 Benchmarks
- develop Phase 3 risk assessment tools
- develop Phase 3 work plan
- develop Phase 3 report
Phase 4—A Plan for the Future
A final step in the risk assessment process should
be establishing priorities to guide the development and implementation
of a HIPAA privacy compliance plan.
Phase 2 Benchmarks
- develop priority (risk ranking) checklist
- create work plan for Phase IV analysis
- prepare Phase IV report
Based on the Phase 3 report, determine the areas that
present the greatest potential compliance risks. Think of the documentation
of this final risk assessment effort as an addendum to the more comprehensive
Phase 3 report. In effect, the Phase 4 report should be an executive summary
of conclusions, options for action to achieve HIPAA compliance, and recommendations
on resource allocation.
It may be necessary to apply a weighting factor to
areas of concern to identify and manage development and implementation
priorities. Prime candidates are those areas in a facility that either
have frequent access to PHI or areas where access is not frequent, but
where failure to comply with the privacy regulations could lead to severe
or significant problems. Develop some common-sense checklists.
For example, consider the issue of business associates,
which come in all stripes and colors. A remote coder who is an independent
contractor would be a business associate. The failure of that individual
to comply with HIPAA privacy regulations could lead to problems. Given
the amount of PHI being provided to the coder, he or she would be given
a high frequency score.
Now think of your professional liability legal counsel.
Although defense counsel may not have a lot of PHI on computer hard drives,
any PHI that is there may be highly sensitive. Accordingly, defense counsel
would be given a high severity score.
The HIPAA risk assessment process serves at least
three very useful purposes for healthcare organizations and other covered
entities. Primarily, the mere act of going through a risk assessment will
sensitize organizational leaders to the requirements and scope of the
HIPAA privacy standards. More importantly, however, the risk assessment
process serves as a useful institutional checkup for privacy practices
in the digital age. Finally, the process provides the necessary blueprint
for action in the development and implementation of a HIPAA privacy compliance
HIPAA’s Basic Framework
Before beginning the risk assessment process,
it is important to understand HIPAA’s framework. The law’s preamble
lists its three essential purposes:
- to protect and enhance the rights of consumers
by providing them access to their health information and controlling
the inappropriate use of that information
- to improve the quality of healthcare in the
US by restoring trust among consumers, healthcare professionals,
and the multitude of organizations and individuals committed to
the delivery of care
- to improve the efficiency and effectiveness
of healthcare delivery by creating a national framework for health
privacy protection that builds on efforts by states, health systems,
and organizations and individuals
HIPAA seeks to meet these goals through the
enumeration of regulatory standards, implementation specifications,
and requirements. The regulatory standards and implementation specifications
will preempt less stringent state laws in most circumstances. 45
Code of Federal Regulations (CFR), Part 160, outlines the general
administrative requirements. Part 160 defines who is covered by
HIPAA and certain key terms.
The privacy regulations, labeled "Privacy
of Individually Identifiable Health Information," are found
in 45 CFR Part 164, Subpart E. Sections 164.500 to 164.534 outline
the specific requirements that CEs will need to follow. Except for
§§501 and 534, each of the 17 sections contains regulatory standards,
and many standards also have implementation specifications. For
example, under §164.506, the standard requires "consent for
uses or disclosures to carry out treatment, payment, or health care
operations." One of the implementation specifications under
that standard outlines specific "content requirements."
For the full text of the privacy regulations,
go to the Department of Health and Human Services’ comprehensive
HIPAA Web site at http://aspe.os.dhhs.gov/admnsimp/.
A Closer Look at the Regulations
Before you launch your risk assessment, review
the regulation, paying special attention to these sections:
In alphabetical order, some of the most significant
terms under §160.103 to fully understand before beginning a risk
- business associate
- covered entity
- health plan
- healthcare provider
- health information
- implementation specification
- work force
Think of these terms in the real-world context
in which you operate. Covered entities are essentially all of the
players in direct healthcare delivery and payment that transmit
health information in electronic form to carry out financial or
administrative activities related to healthcare. In a few cases,
it is possible to be a healthcare provider and not be a covered
entity. For example, some small healthcare providers may not use
electronic transactions and thus would not be covered by HIPAA.
The definitions contained in §164.501 are specific
to the privacy regulations. Prior to conducting a risk assessment,
review the definitions that apply to your facility. Likely suspects
- individually identifiable health information
- covered functions
- designated record set
- direct treatment relationship
- indirect treatment relationship
- healthcare operations
- organized healthcare arrangement
- protected health information
- psychotherapy notes
- required by law
Once HIM professionals gain a contextual understanding
of HIPAA’s definitions, they will be in a much better position to
engage in the risk assessment process. Based on the preceding definitions,
sections §§502, 514, and 530 contain the general requirements that
will help identify the areas for review in the institutional risk
§164.502—Uses and disclosures of protected
health information: General rules
This section provides the general rules that
CEs must follow when using or disclosing PHI. The first part of
this section outlines "permitted uses and disclosures"
and then addresses "required disclosures." 502(b) presents
the "minimum necessary" standard, but then notes that
it does not apply to "disclosures to or requests by a health
care provider for treatment." (§164.502(b)(2)(i).)
In the risk assessment context, the most significant
aspect of §502 relates to business associates. Section 502 (e) allows
a CE to disclose PHI to a business associate and to allow a business
associate to either "create" or "receive" PHI
on its behalf. To do this, however, the CE must have obtained "satisfactory
assurance that the business associate will appropriately safeguard
the information." The satisfactory assurances must be contained
in a contract or other written agreement or arrangement. Identification
of business associates will be a key challenge in conducting a risk
§164.514—Other requirements relating to uses
and disclosures of PHI
In many ways, section 514 contains many of the
most important requirements under the privacy standards. From setting
out the standard for deidentification of PHI to the standard for
verification of the identity and authority of a person accessing
PHI, this section is a "must read" for HIM professionals.
In addition to verification and deidentification standards, §514
contains standards and implementation specifications for minimum
necessary requirements, uses and disclosures of PHI for marketing,
uses and disclosures for fund raising, and use and disclosures for
underwriting and related purposes.
§530 outlines many of the key components that
all CEs will have to follow, regardless of size. In addition to
the requirement that a "privacy official" be designated,
§530 outlines numerous other standards, including those relating
to safeguards and policies and procedures. Significantly, the safeguards
standard references the yet-to-be-published final HIPAA security
standard in stating that a CE "must have in place appropriate
administrative, technical and physical safeguards to protect the
privacy of protected health information."
Phase 2—Mapping Information Flow
Phase 2 Tasks
M. Identify how PHI is used/disclosed
for "treatment, payment and health care operations."
Map internal data flow according to payment,
treatment, and healthcare operations.
Summary report to share with senior management.
Tasks M-1 to M-3 can be seen as subsets of the general mapping
task. The report should contain both written and visual depictions
of data flow.
M-1. Identify relationships with other
Map flow of data to and from other CEs,
such as health plans and clearinghouses
Summary report that identifies the major
players an organization does business with.
M-2. Identify relationships with business
Map flow of PHI to and from business associates.
Summary report that identifies business
associates by category. In the hospital setting, typical business
associates include information systems vendors, medical transcription
companies, release of
information companies, off-site record
storage vendors, contract coders, consultants, and collection
M-3. Identify how PHI is captured.
Map points where PHI enters the institution.
Summary report that identifies how PHI
is first collected. This report will overlap with some of
the preceding tasks.
Identify IT hardware and IT communication
components used in the capture, storage, and transmission
A summary report that identifies the equipment/technology
used by institutions involved in the flow of PHI (for example,
workstations, PCs, servers, PDAs, LANs, WANs, intranets, and
Existing safeguards, such as access and
authentication controls, should also be identified.
Key Phase 2 Tasks for Implementation
Phase 2 Tasks
Patient access rights
Identify existing policies, procedures,
and access protocols.
Summary report that notes the respective
HIPAA requirements and identifies existing policies and procedures
that either meet the requirement or will have to be amended
to meet them.
Minimum necessary requirement
Identify existing mechanisms to ensure
that staff members, physicians, and outside requesters have
access only to the information needed to do their jobs or
fulfill the purpose of their request.
Patient consent requirement
Identify existing consent documents (such
as the general consent form signed during the registration
process), policies, and procedures.
Notice of information practices
Identify existing notice documents and
related policies and procedures.
Right to an accounting of disclosures
Identify existing process for tracking
non-routine disclosures of PHI.
Right to agree or object
to certain disclosures
Determine if existing policies and procedures
Right to specific authorization for
Determine if existing policies and procedures
apply; collect existing authorization forms.
Patient right to request restrictions
Determine if existing policies and procedures
Patient right to request amendment/correction
Identify existing policies and procedures.
Steps for Follow-up
In developing a risk assessment plan, think
in terms of deliverables. For example, consultants responding to
an RFP for a HIPAA risk assessment may list the following deliverables:
1. Itemize the specific forms and notices
that the privacy standards require CEs to have. This list would
- individual consent form for use/disclosure
of PHI in treatment, payment, and healthcare operations
- notice of information practices
- individual authorization form for CE’s use
or disclosure of PHI for which authorization is required
- individual consent form for release of psychotherapy
- individual "opt-out" form regarding
fund raising by the CE
- business associate contracts/agreements
- work force training certification form
2. Identification of business associates
- priority list of business associates
by type and size
- standard business associate contracts or
- standard RFPs with HIPAA due diligence questions
for new business associates
3. Inventory (key to HIPAA requirements)
of existing policies and procedures—corporate, institutional, and
4. Development of HIPAA-specific policies
- uses and disclosures by CE requiring
an opportunity for the individual to agree or object
- individual request for an accounting of disclosures
- individual request for privacy protection
for PHI used in treatment, payment, and healthcare operations
- individual request to amend PHI
A sample department-level
risk assessment tool to use with this article is available in MSWord
format here. To view the sample,
simply click the link.
Gordon Apple is an attorney in St. Paul,
MN. In addition to his health law practice, he is a frequent speaker on
HIPAA and other health law topics at professional and corporate meetings.
He can be reached at Gapple@HealthLawGeek.Com.
Mary Brandt directs the regulatory compliance practice at Outlook Associates,
Inc., a California-based healthcare and information technology consulting
firm. The former director of policy and research for AHIMA, she is a frequent
speaker on HIPAA and other regulatory and HIM practice issues at professional
meetings. She can be reached at email@example.com.
Apple, Gordon J. and Mary D. Brandt. "Ready, Set, Assess!: an Action Plan for Conducting a HIPAA Privacy Risk Assessment." Journal of AHIMA 72, no.6 (2001): 26-32.