Business Policies and Procedures Manual
Chapter 88: Information Privacy

Protected Health Information Risk Assessment

BPPM 88.20

For more information contact:
   Compliance and Civil Rights
   509-335-8864 /
   ITS Security Operations
   509-335-1642 or 509-335-0404

1.0   Policy

Each WSU health care component (HCC) and applicable business unit is responsible for conducting an annual risk assessment, in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 CFR 164.308(a)(1)(ii)(A)). All risk assessments must be documented. Vulnerabilities that are determined to be high risk to the HCC and business units must be timely mitigated.

All protected health information (PHI) risk assessments must be maintained and disclosed in a confidential manner. (See Section 3.1.) PHI risk assessments are exempt from the Public Records Act (PRA) and must not be disclosed under public records requests. (RCW 42.56.420(4)) See also BPPM 90.05.

2.0   Applicability

This policy applies to the:

  • Health Care Components (HCCs) that have been identified in Washington State University (WSU) Executive Policy EP40; and
  • All WSU system business units, workforce members, and WSU system information systems that collect, store, process, share, or transmit protected health information (PHI).

3.0   Procedure

Each WSU HCC and business unit conducts an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI, including electronic PHI (ePHI), held by the WSU HCC and business units.

3.1   Annual Risk Assessment

The Privacy Officer or assigned workforce member with sufficient knowledge and expertise in information security at each WSU HCC and business unit is responsible for performing an annual risk assessment. The risk assessment must be completed using the Security Risk Assessment Tool provided by the Office of the National Coordinator for Health Information Technology website.

Each HCC and business unit must promptly and securely provide a completed risk assessment to the WSU System Privacy Officer and the HCC Privacy and Security Officer(s). HCCs and business units, with input and guidance from the Chief Information Security Officer (CISO), the WSU System Privacy Officer, and the HCC Privacy and Security Officer(s), evaluate the risk assessment and determine appropriate corrective actions, if any, to mitigate risks to vulnerabilities identified in the risk assessment. (See Section 4.0 for privacy officer information.)

Each HCC and business unit is required to timely implement corrective actions determined to be reasonable and necessary to reduce and manage risk identified from the risk assessment. The HCC and business units must provide regular updates to the WSU System Privacy Officer, CISO, and HCC Privacy and Security Officer regarding the status of their activities to implement a corrective action until it is completed.

The risk assessment and all corrective action must be:

  • Documented;
  • Maintained confidentially; and
  • Retained for at least six years from the date of its creation or the date when it was in effect, whichever is later.

See 45 CFR 164.316(b)(2)(i) and BPPM 90.01.

Health Science Compliance retains the official University copy of the risk assessments and corrective actions. The HCC and the business units retain secondary (reference) copies of the risk assessments and corrective actions for their units.

4.0   References

Compliance and Civil Rights (CCR) Health Sciences Policies, Templates, Assessments, and Training

CCR Privacy Officers

BPPM 87.20: Security Assessment and Authorization

BPPM 87.25: Information Security Risk Assessment

Revisions:  August 2023 – new policy (Rev. 613)