HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be?

HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be?

HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be?

HIPAA Risk Analysis

Short Answer: All information assets in all lines of business in all facilities and in all locations. 

OCR just entered into its 50th Resolution Agreement / Corrective Action Plan with CardioNet, Inc., the 39th case involving ePHI and therefore requiring a risk analysis.  CardioNet is the 35th organization cited for an inaccurate and and incomplete risk analysis. What seems to be the problem?  

We now know that in order to conduct an OCR-quality risk analysis, we need to be talking “assets, threats and vulnerabilities”.  See our recent post: Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? … but how do we know how comprehensive it needs to be?

Completing comprehensive, enterprise-wide risk analyses seems to be a problem for organizations:

  • Jocelyn Samuels has commented, All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise”
  • And Deven McGraw stated, “time and again, we see that organizations are not doing risk assessments that are enterprise-wide and that take into account all of the ePHI that is in their environments…”
  • And Leon Rodriquez recently concurred, “The question of [a weak or outdated] risk assessment has always been an issue from the very beginning of HIPAA enforcement – and it will continue to be one for the future.”

To understand how comprehensive the risk analysis is expected to be, we once again turn to the admonishments from OCR, consistently included in their press releases regarding investigation findings:

  • “Triple S failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ePHI”
  • “OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule.”
  • “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure”
  • “Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this (risk analysis) was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.”

The details of what assets OCR is looking for can be gleened from the associated Corrective Action Plans:

  • This Risk Analysis shall incorporate … the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by Advocate or any Advocate Entity, that contain, store, transmit, or receive ePHI.
  • TRIPLE-S shall conduct and complete an accurate, thorough, enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by TRIPLE-S or its affiliates that contain, store, transmit or receive TRIPLE-S ePHI.
  • This Risk Analysis shall incorporate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by UMass or any UMass entity, that contain, store, transmit, or receive ePHI.

Ok, ok… we get the assets now… What facilities or locations are to be included?

  • This Risk Analysis shall incorporate all UMass facilities, whether owned or rented, …that contain, store, transmit, or receive ePHI.
  • This Risk Analysis shall incorporate all Advocate facilities, whether owned or rented, ….that contain, store, transmit, or receive ePHI.
  • “UM shall draft an enterprise-wide risk analysis and corresponding risk management plan, that shall encompass all covered health care components …”

How comprehensive does the risk analysis need to be? Simple enough, all information assets in all lines of business in all facilities and in all locations.  Information assets are systems, solutions, technology and devices that create, receive, transmit or maintain ePHI.

Now what?

  1. Download the OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” .
  2. Attend our May 3rd “Conversation with Former OCR Director Leon Rodriguez: What OCR Expects in Your HIPAA Risk Analysis”  Learn how to conduct an OCR-quality risk analysis and what to expect from the new administration on HIPAA, among many other things. You may learn more and register here: http://bit.ly/ClearwaterLeonRodriguez
  3. Learn the definition of an information asset.
  4. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
Series Navigation<< HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”?HIPAA Risk Analysis Tip – What Level of Detail is Adequate? >>

Clearwater

Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.

Latest posts by Clearwater (see all)

Posted in
Clearwater
Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI). We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Subscribe to our newsletter

Our monthly eNewsletter which includes industry articles and white papers that we’ve gathered for you. We’re confident you’ll find a nugget or two among them!

ocr-quality-stamp-tm-home

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to the Office for Civil Rights.

About Clearwater

Clearwater provides the most complete and trusted, enterprise-class cyber risk management solution available. Designed for healthcare providers and their partners, Clearwater’s IRM|Pro™ platform and experienced professional services team provide insights and actions to address compliance, cyber and patient safety risks. Clearwater is a 2017 Inc. 5000 fastest-growing company, the 2018 Best in KLAS winner in Cybersecurity Advisory Services, the 2017, 2018, and 2019 Black Book Marketing Research winner in Compliance and Risk Management Solutions, and exclusively endorsed by numerous state hospital associations. Clearwater solutions have been deployed within hundreds of hospitals and health systems, Fortune 100 organizations, and federal government institutions. 

Show Buttons
Hide Buttons