HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis

HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh?  Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.  No wonder, the terms are often used interchangeably.  Let’s end the confusion… Here’s today’s big tip – Learn the critical difference – Don’t Confuse HIPAA Security Evaluation and Risk Analysis !

Don’t Confuse HIPAA Security Evaluation and Risk Analysis

Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:

  1. Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”
  2. Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”
  3. Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.

We focus on the first two in this post because these are the ones you must complete. Both are Required by the HIPAA Security Final Rule.

HIPAA Security Evaluation or Assessment:

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.  Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is in 45 C.F.R. § 164.308(a)(8):

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program. The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board. Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:

Screencapture taken from our Security Assessment software.

Screencapture taken from our Security Assessment software.

 

HIPAA Security Risk Analysis:

A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is also required by law to be performed by every Covered Entity and Business Associate.Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:

RISK ANALYSIS (Required).  Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office for Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.This guidance was published on July 8, 2010.No specific methodology was indicated.However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.

As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset and media-by-media evaluation of risk:

Screencapture taken from our Risk Analysis software.

Screencapture taken from our Risk Analysis software.

Don’t Confuse HIPAA Security Evaluation and Risk Analysis

So, when it comes to HIPAA Security Compliance Evaluation, think:

  • Forest-level view
  • Overall compliance with the HIPAA Security Final Rule
  • Establishing baseline evaluation score for measuring progress
  • Asking: Have we documented appropriate policies and procedures, etc?
  • Asking: Are we performing against our policies and procedures?

When it comes to HIPAA Security Risk Analysis, think:

  • Trees/Weeds-level view of each information asset with PHI
  • Meeting a specific step in the overall compliance process
  • Understanding current safeguards and controls in place
  • Asking: What are our specific risks and exposures to information assets?
  • Asking: What do we need to do to mitigate these risks?

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are, required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.

Please feel free to contact us to benefit from our expertise and help you jump-start your program.

Series NavigationHIPAA Audit Tips – OCR Audit Protocol – Risk Analysis >>

Clearwater

Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Avatar
Posted in
Avatar
Clearwater
Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI). We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Subscribe to our newsletter

Our monthly eNewsletter which includes industry articles and white papers that we’ve gathered for you. We’re confident you’ll find a nugget or two among them!

ocr-quality-stamp-tm-home

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to the Office for Civil Rights.

About Clearwater

Clearwater provides the most complete and trusted, enterprise-class cyber risk management solution available. Designed for healthcare providers and their partners, Clearwater’s IRM|Pro™ platform and experienced professional services team provide insights and actions to address compliance, cyber and patient safety risks. Clearwater is a 2017 Inc. 5000 fastest-growing company, the 2018 Best in KLAS winner in Cybersecurity Advisory Services, the 2017, 2018, and 2019 Black Book Marketing Research winner in Compliance and Risk Management Solutions, and exclusively endorsed by numerous state hospital associations. Clearwater solutions have been deployed within hundreds of hospitals and health systems, Fortune 100 organizations, and federal government institutions. 

Show Buttons
Hide Buttons