HIPAA Audit Tips – OCR Audit Protocol – Risk Analysis

HIPAA Audit Tips – OCR Audit Protocol – Risk Analysis

This entry is part 2 of 2 in the series HIPAA Audit Tips

In case the HHS / OCR Final Guidance on Risk Analysis published in July 2010 and the May 2012 ONC Guide to Privacy and Security of Health Information were not enough to clarify the importance of and how to actually conduct a bona fide HIPAA Security Risk Analysis, the recently published OCR HIPAA HITECH audit protocols provide further insight into what is expected.  Here’s today’s big tip — Get Down On Risk Analysis Implementation Specification (at 45 CFR 164.398(a)(1)(ii)(A)) Audit Protocols…

OCR Audit Protocols – Risk Analysis

Risk analysis is a foundational step for any earnest Risk Management and/or Security Management program.  After all, without a good risk analysis, how does one understand the organization’s exposures?

The HIPAA Security Risk Analysis Standard

At § 164.308(a)(1)(ii)(A), under HIPAA Security Administrative Safeguards, the Risk Analysis Implementation Specification is stated as follows:

§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(A) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 

The OCR Audit Protocol for Risk Analysis

Key Performance Activity: 

Conduct Risk Assessment

Audit Procedures:

  • Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.
  • Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment.
  • Determine if the covered entity risk assessment has been conducted on a periodic basis.
  • Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

Bottom Line:

  1. No need to guess anymore; read the HHS / OCR Final Guidance on Risk Analysis and underlying NIST security framework.
  2. No time to wait; in addition to OCR HIPAA Audits, CMS Meaningful Use Attestations are starting; read page 27 of the ONC Guide to Privacy and Security of Health Information… False Claims Act anyone?
  3. Looking for an experience, trusted HIPAA Risk Analysis firm?; consider the Clearwater HIPAA Security Risk Analysis™ SaaS solution.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis
Posted in
Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI). We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Subscribe to our newsletter

Our monthly eNewsletter which includes industry articles and white papers that we’ve gathered for you. We’re confident you’ll find a nugget or two among them!

OCR-Quality Risk Analysis®

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to the Office for Civil Rights.

About Clearwater

Clearwater provides the most complete and trusted, enterprise-class cyber risk management solution available. Designed for healthcare providers and their partners, Clearwater’s IRM|Pro® platform and experienced professional services team provide insights and actions to address compliance, cyber and patient safety risks. Clearwater is a 2017 Inc. 5000 fastest-growing company, the 2018 Best in KLAS winner in Cybersecurity Advisory Services, the 2017, 2018, and 2019 Black Book Marketing Research winner in Compliance and Risk Management Solutions, and exclusively endorsed by numerous state hospital associations. Clearwater solutions have been deployed within hundreds of hospitals and health systems, Fortune 100 organizations, and federal government institutions. 

Show Buttons
Hide Buttons