No Data Flow Analysis? No Risk Assessment



By Diane Evans
Publisher, MyHIPAA Guide

Here is a simple truth about assessing risks under the Health Insurance Portability & Accountability Act (HIPAA):   Start by knowing all the places where private information is.

Once you know where it is, you can determine where it might end up.  In this sense, risk assessment amounts to a detailed mapping of potential routes to unauthorized exposure.

Depending on your organization, private information might reside in lots of places.  Think about:

  • Emails
  • Text messages
  • Mobile devices
  • EHRs
  • Paper files
  • Downloads

Once you know where private information is within your organization, you can then conduct a data-flow analysis to determine how it might be compromised in each platform where it resides, such as in email or an EHR.

Ask yourself these key questions:

  • In each platform where private information is held, where does it typically go, and where could it potentially go?
  • What security measures are in place?
  • What can be done for better protection?

To illustrate the need for data-flow analysis, let’s consider a few scenarios of how breaches happen, even within security-laden EHRs.

As is common within EHRs, functionality varies according to settings and configuration.  For example, the settings may allow for downloading of health records, such as patient histories or physician orders.

If that is the case within your organization, where do these downloads reside once they leave the EHR walls?  Are they on office computers or on mobile devices? Could they be easily emailed or accessed by third parties with no need to know?  If so, what security precautions are in place?

In yet another way too much information may escape an EHR, think

about records sent to other healthcare providers.  In our fieldwork, we’ve encountered cases in which dentists, for example, have received complete patient histories, well beyond what they needed to know.

Worse yet, there are cases (and fines) to illustrate how server configurations or coding errors can expose private information to anyone with an Internet connection.  One recent case involved a nonprofit agency near Buffalo, New York, while another incident resulted in a hospital paying a $2.1 million fine.

The Federal government’s Safer Series report, titled Safety Assurance Factors for EHR Resilience, points to the need to “mitigate the highest priority configuration-related safety risks introduced by the EHR.”  The report notes the importance of periodic checks to catch errors in configuration and coding.

In truth, the configuration issue extends beyond the EHR to other web-based formats, such as email and cloud-based applications.

Yet in itself, configuration is just one part the risk assessment equation.  Information can be compromised in countless other ways, with each platform — such as email or the portable device — creating its own set of risks and corresponding protections.

The challenge — and the mandate — is to examine, to the greatest extent possible, all possible ways private information might be improperly exposed.   With that information in hand, each vulnerability can then be addressed one by one.

As stated in an October 2018 news release, published on the website of the U.S. Health and Human Services Department:

“An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches.  What is an enterprise-wide risk analysis?  It is a robust review and analysis of the risks to the confidentiality, integrity, and availability of electronic health information — across all lines of business, in all facilities, and in all locations.”

HIPAA recognizes that it is impossible to prevent against every possible breach.  However, HIPAA expects a good-faith effort – the measure of which is in the details of the assessment and mitigation efforts.

Diane Evans is Publisher of MyHIPAA Guide, which offers HIPAA training, consulting, breach investigation and a comprehensive subscription program for achieving HIPAA compliance.  Visit or contact Diane at  To receive information about educational webinars relating to HIPAA, email


  1. Thank you…thank you…thank you!

    Identifying the location of ePHI is such a fundamental step, that if not done well, the rest of the SRA is compromised and sometimes significantly.

    The upside is that there are many effective ways to do a thorough cataloging and inventorying of ePHI. This inventory an then serve as the basis for the other aspects of the SRA, which often means identifying those assets which are involved in the creation, maintenance, receipt, or transmittal of ePHI…and so on.

    Thank you for highlighting this very important step of the SRA. I know it doesn’t get nearly as much attention as threats, vulnerabilities, impact, risk levels, mitigation, etc…but the value of identifying the location of ePHI cannot be overstated, in my view.

    How refreshing to hear such a practical bit of advice. I also find that identifying the location of ePHI, particularly in the physician practice space and many times in the hospital space as well, is a relatively straightforward process.

    Sure it may take some time and effort, but it is time and effort well spent.

Comments are closed.