HIPAA Security Risk Analysis Tips – 9 Essential Elements

This entry is part 16 of 39 in the series HIPAA Security Risk Analysis Tips

The HIPAA Security Final Rule requires all that all Covered Entities and Business Associates (and, soon likely, their sub contractors) complete a Risk Analysis (45 C.F.R. § 164.308(a)(1)).  Here's a big tip – you can't simply make up how you're going to do it!  Nor can you always rely on so-called experts who use their approach.  The HHS/OCR Final Guidance on Risk Analysis is clear:  Regardless of methodology (and some don't make the grade!), HHS/OCR cites nine (9) essential elements that must be included in your risk analysis…

9 Essential Elements of a HIPAA Security Risk Analysis

Regardless of the risk analysis methodology employed, your work must include these elements:

  1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
  2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
  3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
  4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
  5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
  6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
  7. Determine the Level of Risk – The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence.  (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
  8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)
  9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

We suggest you use the list above as an initial screening tool when you're considering building or buying a methodology or hiring someone to do the work.

A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))!  We explained the difference in a prior post.

In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications.  We have assembled many useful documents, tools and resources related to Risk Analysis on our site at: http://abouthipaa.com/about-hipaa/resources/  Please feel free to use and enjoy them!

If you'd like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Security Risk Analysis Tips – Make it a Team SportHIPAA Security Risk Analysis Tips – What’s a Threat? >>
Share
10 Responses to “HIPAA Security Risk Analysis Tips – 9 Essential Elements”
  1. Jesus 12 December 2013 at 10:08 am #

    Thiѕ аrtiсle is in fаct a nice one it asѕists new web visitоrs, who are wishing iin favor of blogging.

    Here is mmy blog; webdesign (Jesus)

Trackbacks/Pingbacks

  1. HIPAA Security Risk Analysis Tips - Scope | About HIPAA - 06/24/2011

    [...] For me, it's clear… Get the full Risk Analysis done.  And, do it right… according to the HHS/OCR Final Guidance on Risk Analysis .  You may wish to view our post on the 9 Essential Elements of a HIPAA Security Risk Analysis. [...]

  2. HIPAA Security Risk Analysis Tips - Risk Analysis Methodology | About HIPAA - 07/14/2011

    [...] care what methodology you use as long as your approach incorporates what they identified as nine (9) essential elements in their guidance.  Here's today's big tip – Don't re-invent the [...]

  3. HIPAA Security Risk Analysis Tips - Recommended Documentation | About HIPAA - 07/21/2011

    [...] Security Risk Analysis Tips – Recommended Documentation Nine (9) essential elements  of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis [...]

  4. HIPAA Security Risk Analysis Tips – Make a Plan and Commit | About HIPAA - 07/28/2011

    [...] Nine (9) essential elements of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  Documentation is one of them! [...]

  5. HIPAA Security Risk Analysis Tips – Make a Plan and Commit « IT-Security.BlogNotions - Thoughts from Industry Experts - 01/30/2012

    [...] Nine (9) essential elements of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  Documentation is one of them! [...]

  6. HIPAA Security Risk Analysis Tips – Clearwater Risk Analysis ToolKit | About HIPAA - 06/25/2012

    [...] 164.308(a)(1)).  Regardless of methodology (and some don't make the grade!), HHS/OCR cites nine (9) essential elements that must be included in your risk analysis.  Here's a big tip – Check out the [...]

  7. HIPAA Security Risk Analysis Tips – Decision ChecklistAbout HIPAA - 08/14/2012

    [...] the Nine (9) essential elements of an acceptable Risk Analysis as a key part of your evaluation and selection [...]

  8. HIPAA Security Risk Analysis Tips – Recommended Documentation - 09/09/2013

    [...] Documentation This entry is part 14 of 39 in the series HIPAA Security Risk Analysis TipsNine (9) essential elements  of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis Requirements [...]

  9. HIPAA Security Risk Analysis Tips - Risk Analysis Methodology - 09/10/2013

    [...] care what methodology you use as long as your approach incorporates what they identified as nine (9) essential elements in their guidance.  Here’s today’s big tip – Don’t re-invent the wheel!  [...]

Leave a Reply