Experienced HIPAA Risk Analysis for Business Associates

Eagle Consulting assists Business Associates with the HIPAA Risk Analysis required by the HIPAA Security Rule.  This includes conducting the HIPAA Security Risk Analysis, also known as the Risk Assessment, and creating a corrective action plan based on findings.  A graphic illustration of the Security Management Process shows the multiple steps to create a detailed Security Risk Analysis.

When dealing with hospitals, physician practices or insurance companies, a standard framework can be used because the business processes of these entities are generally understood at the onset.  However, there is tremendous variety of Business Associates with vastly different business processes, for example:

• Billing services are focused on healthcare and maintain billing and/or electronic records with access to records of a few practices of to records of hundreds of organizations
• Consulting firms or attorneys may send consultants or attorneys on site at hospitals but never store any electronic PHI on their own systems
• Medical software authors/resellers may have extensive teams of software developers, and customers may expect that the code is secure.  These organizations may process PHI on a limited basis for data conversions but otherwise keep no PHI.  And, these organizations may maintain electronic access to their client’s systems.
• A direct mail mailing house may service a wide variety of industries and from time-to-time handle a large hospital’s mailings to patients

Further, a business associates may range from a small organization with a few people to a national organization with hundreds of locations and tens of thousands of employees.  Because of this wide range, an initial discovery phase is necessary as part of the risk analysis process.

Engagement & Eagle Solution Process

Discovery and Control Selection.  The first step is to understand the business processes of the Business Associate, to identify the electronic PHI that it maintains, and to briefly understand the existing controls in place.  Based on the business processes, Eagle identifies the controls that are most appropriate.    The selection process involves reviewing appropriate controls not only from the HIPAA Implementation Specifications, but also from the more comprehensive and granular framework, ISO 27002.  In addition, Eagle reviews relevant controls from the Council on CyberSecurity’s Top 20 Security Controls because some of these high-priority controls are absent from HIPAA.  The deliverable from this step is a list of controls that we

Control Review and Testing.  Using the controls identified above, existing controls will be reviewed in more detail with gaps and deficiencies identified.  Any previous evaluations, such as penetration testing and vulnerability scans, will be reviewed.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Impact Assessment.  Based on an understanding of the quantity of ePHI involved, the nature of the organization, and the reliance on information technology for daily operations, the impact of various failures will be estimated.  Failures evaluated will include data breach, system downtime, and data integrity failures.

Site Review. An on-site assessment is included, with a walk through of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Remediation Support.  As a follow-up to the risk analysis, a variety of services are available to assist with corrective action.