Necessity of risk assessment in disclosure of PHI to vendors

September 19th, 2017
Necessity of risk assessment in disclosure of PHI to vendors


PHI or patient health information is regarded as health data that can be traced to a certain individual. It is individually identifiable information obtained by healthcare providers in the course of diagnosis and/or treatment of a patient. The records of PHI store the past, present and future physical or mental conditions of a patient. They also show the provisions of healthcare received, currently being received or that will be received in days to come as well as payment information made in the past, present and future.

There is general PHI and ePHI which is individually identifiable info that is transmitted and maintained using electronic media.

Examples of PHI

  • Official names of the patient
  • Geographical subdivisions of patient location such as street name, county, city
  • All date elements-Birth date, admission date, discharge of date, date of death
  • Contact info such as telephone number, fax number, email addresses
  • Billing info such as social security numbers, account numbers
  • Medical Records of patient
  • Health plan beneficiary numbers
  • Facial recognition images e.g. photographs
  • Device serial numbers
  • Other identifiers such as license/certificate number, biometric identifiers(fingerprints)
  • Web URL’s
  • Internet Protocol address numbers

According to the HIPAA privacy rule, all individually identifiable health information that is available to a covered entity or a business associate must be protected. This information can be maintained in many forms such as digital format, paper or oral.

This therefore means that vendors who are considered third parties in the arrangement are liable as well to the compliance rules as stated in the HIPAA act of I996.A vendor is considered a business associate since they offer services that in one way or the other involve them with PHI. It could be a billing company, a cloud service provider or an IT hosting firm. Health care providers often tend to outsource some responsibilities to external entities to effect scalability and interoperability. By doing so these third parties/vendors are exposed to PHI, even if indirectly, and can suffer data breaches just like the next person. This is where risk assessment comes in.

What is Risk Assessment?

On April 14, 2003, a revision of the HIPAA law saw the introduction of the HIPAA Privacy rule under which risk analysis was outlined as a requirement. Risk assessment is a procedure that is carried out to identify and implement appropriate safeguards against data breaches that may occur in the future. It includes identifying areas where PHI will be used and ensuring that they are protected and safe as per the HIPAA Compliance checklist.

The first and most basic type of risk assessment is a facility-based assessment. Here the vendor must ensure that the workstation or premises where critical information is stored (such as servers) and barricaded to keep intruders away. It should also be all-hazard proof-both natural and environmental hazards.

It is important that before a hospital or health insurance company hands over its data to a third party, it verifies that this vendor is fully HIPAA compliant. At the end of the day failure on the vendor’s part directly affects the reputation of the organization.

HIPAA Risk Assessment Checklist

  • Identify the manner in which PHI is stored, kept and transmitted.
  • Identify the potential security threats and vulnerabilities to the information.
  • Study the security measures currently being used to safeguard PHI.
  • Assess to find out whether these security measures are working or not.
  • Find out the probability of a breach and the type of breach.
  • Assess the impact that the breach would have on PHI.
  • Assign risk levels to each vulnerability and its impact.
  • Documentation of the assessment.
  • Take necessary action steps according to the report

Types of risk assessment tools in the market

There are various risk assessment tools available in carrying out this process in a customized and efficient manner. It should be noted though that not all risk assessment tools apply the same way to all organizations. Each organization has its own size and complexity as well as varied capabilities. Some of the risks that an effective assessment tool should address include employee personnel issues, access control, data backups, data recovery and technical and physical security.

One of the most recommended security risk assessment tools is the SRA released by the Office of General Counsel and Office of National Coordinator for Health Information Technology in March 2014. The tool is basically a computer application that’s self-contained and has 156 questions. The questions are written in line with HIPAA requirements and require a ‘yes’ or ‘no’ answer. By answering these questions, an organization can identify areas of risk and therefore improve on them.

The tool continues to be updated and can be downloaded for use on a Windows OS desktop. A recent version is available for Windows 10. The Here are some of the new features in the new tool:

  • Compatible with the latest versions of Windows –Windows 8.0, 8.1, and 10
  • A Save As feature which allows one to save the report assessment to a different location and even share with colleagues
  • Enhanced reporting functions with an improved look and functionality of PDF reports while giving more options for adding information.

Below is a more detailed and revised User Guide. The application can be downloaded here and used on iPads as well, at no cost.


It should be noted that vendor compliance and risk assessment is not a one-time thing. Health technology development is a continuous and dynamic process that keeps changing. To ensure continued compliance, therefore, a risk assessment must be done from time to time. This way it is possible to identify the ineffective methods of safeguard and change or back them up with a better framework. By continuously performing risk analysis and covering the loopholes, it is possible for a vendor organization to achieve the standards of confidentiality, integrity, and availability of PHI as stated in the HIPAA rules.