For all practical purposes, conducting a HIPAA security risk assessment is typically accomplished in layers. Initially, the first step takes a first pass at each HIPAA security compliance requirement. While this puts a CE (covered entity) on the path of security management and compliance, efforts to reduce risk shouldn’t stop there. With each successive iteration of the risk assessment (most CEs do this annually), improved security is addressed by defense in depth analysis. One approach is to focus on the data – ePHI. While HIPAA doesn’t explicitly state it, data security is at the heart of any security management program.
Instead of focusing on the specific HIPAA requirements at your next pass, take a different tack on your journey to continuous improvement. Focus on the ePHI – its source, its travels, and its ultimate resting place.
This involves following the data across the technology architecture on which your business processes depend. Answer the questions:
* Where is that ePHI created or used?
* How is it handled?
* Who has access and need to know?
* What forms does it assume?
* Where does it come to rest?
* How and where is it stored?
You have to be able to follow the ePHI across your network, examining the risk of exposure at each step. Compare that exposure to controls you have in place. Identify risks and prioritize actions.
By taking this approach you can leverage your HIPAA security compliance initiative to more completely secure your data and thus, protect your business.