HIPAA Security Evaluation – HIPAA Risk Analysis – Explained

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis?

Huh?

Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.No wonder, the terms are often used interchangeably.

Let’s end the confusion…

Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:

1.Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”

2.Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”

3.Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.

We focus on the first two in this post because these are the ones you must complete. Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is in 45 C.F.R. § 164.308(a)(8):

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program.The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:

HIPAA Security Evaluation Dashboard

A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is also required by law to be performed by every Covered Entity and Business Associate.Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.This guidance was published on July 8, 2010.No specific methodology was indicated.However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.

As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of risk, along with mitigation actions involving new safeguards or controls:

HIPAA Security Risk Analysis Summary Risk Level

Upon completion of the Risk Analysis for all information assets, an overall Risk Analysis Project Tracking tool would be used to ensure ongoing project management of the implementation of safeguards:

HIPAA Security Risk Analysis Project Tracking

So, when it comes to HIPAA Security Compliance Evaluation, think:

·Forest-level view

·Overall compliance with the HIPAA Security Final Rule

·Establishing baseline evaluation score for measuring progress

·Asking: Have we documented appropriate policies and procedures, etc?

·Asking: Are we performing against our policies and procedures?

When it comes to HIPAA Security Risk Analysis, think:

·Trees/Weeds-level view of each information asset with PHI

·Meeting a specific step in the overall compliance process

·Understanding current safeguards and controls in place

·Asking: What are our specific risks and exposures to information assets?

·Asking: What do we need to do to mitigate these risks?

Both the HIPAA Security Compliance Evaluationand the HIPAA Security Risk Analysisare, required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.

Please feel free to contact us to benefit from our expertise and help you jump-start your program.

bob.chaput@H3CA.com or call 615-496-4891

Share

Trackbacks/Pingbacks

  1. The Experts Have Spoken on Compliance first step | HIPAA Security Assessment - 11/22/2010

    [...] Final Rule.   Read our recent blog post for a good explanation of the differences:http://hipaasecurityassessment.com/blog/hipaa-security-evaluation-hipaa-risk-analysis-explained/ Attend one of our upcoming webinars to learn more about the HIPAA Risk Analysis requirement and the [...]

  2. A Wake-up Call on the Security Rule | HIPAA Security Assessment - 11/23/2010

    [...] There’s much confusion about them, hence my blog post of a couple of weeks ago:  “HIPAA Security Evaluation – HIPAA Risk Analysis: Explained” Some of the more salient points in the [...]

  3. Expect Your Surgeon to Operate Without an Assessment? | HIPAA Security Assessment - 12/14/2010

    [...] people continue to confuse a HIPPA Security Evaluation and a HIPAA Security Risk Analysis (see: http://hipaasecurityassessment.com/blog/hipaa-security-evaluation-hipaa-risk-analysis-explained/) for an explanationWhy should you care?  Why do an Security Rule compliance assessment and / [...]

  4. HIMSS Security Expert Call to Arms - Assess! | HIPAA Security Assessment - 12/21/2010

    [...] Security Rule compliance assessment and a HIPAA Security Risk Analysis, please read our recent blog post: http://hipaasecurityassessment.com/blog/hipaa-security-evaluation-hipaa-risk-analysis-explained/ [...]

  5. Subcontractors: The Next Frontier of HIPAA Compliance and Risk | HIPAA Security Assessment - 01/11/2011

    [...] party and to the HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) party.  (Learn the difference.)Under the HITECH Act, HHS expanded HIPAA compliance responsibilities beyond the world of covered [...]

  6. HIPAA Security Risk Analysis Tips - Big Picture | About HIPAA - 10/06/2011

    [...] A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))!  We explained the difference in a prior post. [...]

  7. HIPAA Security Risk Analysis Tips - 9 Essential Elements | About HIPAA - 10/06/2011

    [...] A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))!  We explained the difference in a prior post. [...]

  8. HIPAA Security Risk Analysis Tips - Implementation Specification | About HIPAA - 10/06/2011

    [...] A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))!  We explained the difference in a prior post. [...]

  9. HIPAA Security Risk Analysis Tips - Scope | About HIPAA - 10/06/2011

    [...] A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))!  We explained the difference in a prior post. [...]

  10. HIPAA Security Risk Analysis Tips – How to Get Started - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance - 09/02/2014

    […] this blog post entitled “HIPAA Security Evaluation vs. HIPAA Risk Analysis: Explained”; we already have the first tool developed […]

Leave a Reply