The term “security audit” is often used synonymously with security risk assessment and risk analysis. But a security audit for HIPAA compliance is when Health and Human Services (HHS) audits a covered entity or business associate to determine their level of compliance with the HIPAA Privacy, Security and Breach Notification Rules. You can learn more about security audits conducted by HHS here. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
Security risk assessment and risk analysis are often used interchangeably as well when discussing HIPAA compliance. There is a lot of confusion around terminology as the federal government doesn’t use these terms consistently.
§ 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to, “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
Therefore, to provide guidance on conducting a “risk analysis”, HHS provides a free tool called a Security Risk Assessment Tool https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
Also, OCR uses the term “risk assessment” in the Breach Notification Rule as the process of evaluating a security incident to determine whether a breach has occurred. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Semantics aside, the spirit of HIPAA security rule is for all organizations that create, transfer, view or store ePHI to have a security program in place. This starts with a risk assessment (or analysis or audit) of controls that you have in place to protect the confidentiality, integrity and availability (CIA) of information against threats.
Steps to a security assessment:
1. Determine the scope. HIPAA is only concerned about ePHI, but there is certainly other confidential information that you would like to protect. Consider all the financial, employee or proprietary information that your organization transfers, creates and stores. The same threats that exist to ePHI often exist to other information that the organization deems as important. Protecting ePHI can have a side benefit of protecting all your confidential information if included in the scope.
2. Identify how information is transferred, created, stored, and accessed. After you have defined what information is worth protecting, determine all the places that it is stored and all the ways that information flows through your organization. Often referred to as data mapping, this is an expansive process that requires a thorough evaluation of all business processes and departments that deal with the information you wish to protect.
3. Enumerate Potential Threats. Threats change quickly as new technologies are introduced and new vulnerabilities are discovered. It is impossible to identify all the threats. An information security professional can help you identify the most common current threats.
4. Evaluate your controls. After you know what to protect and what you are protecting against, you will need to evaluate the controls that are currently in place. This will help you determine your vulnerabilities. These controls include administrative, physical, and technical safeguards. There are standard safeguards that can be referenced from multiple information security frameworks, including: NIST, ISO, FISASCORE.
5. Determine your Risk. Risk is the likelihood that a threat will exploit a vulnerability to have an adverse impact on an asset (the information you are trying to protect). You need to have a way to quantify your risk, so you can determine what to do about it. A scoring system, such as a FISASCORE that is administered by an information security professional, can help you determine a risk management plan. Then, your options are to accept, reduce (mitigate), transfer, or avoid your risks. Having a risk management plan is also a requirement of the HIPAA Security Rule.