Risk Assessments in Healthcare: Where Legal Requirements Also Make Good Business Sense!  

HIPAA

While some of the legal requirements on your organization can seem overly burdensome, there are times when legal requirements also align nicely with what makes good business sense. Risk assessments in the healthcare industry are a good example of that alignment.  

The Law

The HIPAA Security Rule requires (among other things) that all Covered Entities (CEs) and Business Associates (BAs) conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). See 45 C.F.R. § 164.308(a)(1)(ii)(A). The Security Rule also requires that CEs and BAs implement security measures to appropriately reduce risks and vulnerabilities. See 45 C.F.R. § 164.308(a)(1)(ii)(B).

Good Business Sense  

As a practical matter, conducting a risk assessment and implementing appropriate changes is also a smart business move. Reducing risks and vulnerabilities helps an organization better protect its data, systems, and operations, as well as its customers, patients, members, end users, employees, and business partners – all things that will ultimately impact the bottom line.

To effectively reduce risks and vulnerabilities, an organization must first identify what are the realistic risks and threats to, and vulnerabilities within, the organization. That’s where the risk assessment comes into play. The risk assessment, whether completed with internal resources or through the services of a qualified third party, is the tool that allows the organization to get a realistic picture of “what’s out there” and what could adversely affect the organization. After obtaining the realistic picture of risks, threats and vulnerabilities, the organization can then review its current security posture to determine how it currently addresses (or does not address) the identified risks, threats and vulnerabilities.  At that point, the organization will be able to identify and prioritize the changes that should be made to appropriately reduce risk.

Combining Legal and Technical

Decisions regarding which security measures, policies and procedures to change or implement are best made with the benefit of both technical and legal advice. The technical advice component will help an organization identify and implement technical solutions and data security measures, policies and procedures that provide meaningful protection for the organization’s data and systems. The legal advice component will help an organization ensure that the potential solutions and security measures, policies and procedures meet the required legal standards, and help the organization understand the legal risks associated with security-related decisions and potential adverse events.

Ultimately, an organization needs to be confident that its approach to security is both practically appropriate and legally sufficient.

Pro Tip for Assessments  

Prior to conducting a risk assessment, an organization should discuss the endeavor with counsel. Depending upon the circumstances, an organization might be able to protect from later disclosure to third parties (e.g., plaintiffs!) certain discussions and information developed during the assessment.                 

 Bobby Turnage leads Sands Anderson’s Cybersecurity and Technology Team.  If you have questions about this post, or any data security, data privacy or technology issues please contact Bobby or one of our Cybersecurity and Technology Team members.           

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek