HIPAA Security Risk Analysis Tips – 9 Essential Elements
The HIPAA Security Final Rule requires all that all Covered Entities and Business Associates (and, soon likely, their sub contractors) complete a Risk Analysis (45 C.F.R. § 164.308(a)(1)). Here's a big tip – you can't simply make up how you're going to do it! Nor can you always rely on so-called experts who use their approach. The HHS/OCR Final Guidance on Risk Analysis is clear: Regardless of methodology (and some don't make the grade!), HHS/OCR cites nine (9) essential elements that must be included in your risk analysis…
9 Essential Elements of a HIPAA Security Risk Analysis
Regardless of the risk analysis methodology employed, your work must include these elements:
- Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
- Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
- Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
- Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
- Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
- Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
- Determine the Level of Risk – The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
- Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)
- Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
We suggest you use the list above as an initial screening tool when you're considering building or buying a methodology or hiring someone to do the work.
A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))! We explained the difference in a prior post.
In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. We have assembled many useful documents, tools and resources related to Risk Analysis on our site at: http://abouthipaa.com/about-hipaa/resources/ Please feel free to use and enjoy them!
If you'd like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://Twitter.com/AboutHIPAA
- Subscribing to our eNewsletter: https://app.e2ma.net/app/view:Join/signupId:61331/mailingId:3310893/acctId:36048
- Subscribing to our RSS feed: http://abouthipaa.com/feed/rss/
- Checking our company web site: http://clearwatercompliance.com/
- Attending a HIPAA HITECH live webinar: http://abouthipaa.com/webinars/on-demand-webinars/
- Viewing a pre-recorded webinar: http://abouthipaa.com/webinars/on-demand-webinars/