In case the HHS / OCR Final Guidance on Risk Analysis published in July 2010 and the May 2012 ONC Guide to Privacy and Security of Health Information were not enough to clarify the importance of and how to actually conduct a bona fide HIPAA Security Risk Analysis, the recently published OCR HIPAA HITECH audit protocols provide further insight into what is expected. Here’s today’s big tip — Get Down On Risk Analysis Implementation Specification (at 45 CFR 164.398(a)(1)(ii)(A)) Audit Protocols…
OCR Audit Protocols – Risk Analysis
Risk analysis is a foundational step for any earnest Risk Management and/or Security Management program. After all, without a good risk analysis, how does one understand the organization’s exposures?
The HIPAA Security Risk Analysis Standard
At § 164.308(a)(1)(ii)(A), under HIPAA Security Administrative Safeguards, the Risk Analysis Implementation Specification is stated as follows:
§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(A) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
The OCR Audit Protocol for Risk Analysis
Key Performance Activity:
Conduct Risk Assessment
- Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.
- Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment.
- Determine if the covered entity risk assessment has been conducted on a periodic basis.
- Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.
- No need to guess anymore; read the HHS / OCR Final Guidance on Risk Analysis and underlying NIST security framework.
- No time to wait; in addition to OCR HIPAA Audits, CMS Meaningful Use Attestations are starting; read page 27 of the ONC Guide to Privacy and Security of Health Information… False Claims Act anyone?
- Looking for an experience, trusted HIPAA Risk Analysis firm?; consider the Clearwater HIPAA Security Risk Analysis™ SaaS solution.
Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.
Wanna be even more ready for an audit or hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: http://clearwaterc.wpengine.com/newsletters/
- Attending a HIPAA HITECH live webinar: http://clearwaterc.wpengine.com/live-educational-webinars/
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017
- HIPAA Risk Analysis Tip – May 3rd Webinar with Leon Rodriguez – What OCR Expects in Your HIPAA Risk Analysis - April 9, 2017