HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”?

HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”?

HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”?

HIPAA Risk Analysis

Short Answer: YES! 

As long ago as June of 2005, the Department of Health and Human Services (HHS) began publishing a series of seven security articles providing guidance on the “Security Standards for the Protection of Electronic Protected Health Information, commonly called the Security Rule.  Updated in March of 2007, the sixth in the series was entitled “Basics of Risk Analysis and Risk Management” and which outlined:

  • The relevant Security Rule implementations specifications for Risk Analysis and Risk Management,
  • The definitions involved in these activities, such as “threats,” “vulnerabilities” and “risk” and their relationships to each other, referencing NIST Special Publications (SP) 800-30 and
  • An example of process steps adapted from NIST SP800-30 which started with the scope of the analysis and the gathering of “data” before considering the threats and vulnerabilities

On July 14, 2010, OCR posted “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” on their website, once again referencing NIST, this time SP800-66 and SP800-30, and suggesting that organizations consider the following questions:

  • Have you identified the e-PHI within your organization? This includes all e-PHI that you create, receive, maintain or transmit.
  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
  • What are the human, natural, and environmental threats to information systems that contain e-PHI?

Findings, reported by Linda Sanches, from the Phase 1 Audits of 2012 included that two thirds of entities had “no complete and accurate risk assessment.”  In April 2016, the audit procedures were considerably expanded in the Phase 2 Audits to include evidence that “all” systems that create, receive, transmit and maintain ePHI have been identified, along with the threats to, and vulnerabilities of, those assets. In addition, the auditors are to examine documentation of an assessment of security measures currently addressing those vulnerabilities, an impact and likelihood analysis and a resulting risk ranking…followed by risk remediation activities.

Despite specific guidance from OCR to start with the identification of assets containing PHI, and nagging organizations at conferences and other speaking opportunities, OCR findings in complaint and breach investigations continue to find that organizations are coming up short on risk analysis and risk management programs. Nine out of 10 organizations that have entered into a settlement agreement with OCR due to the compromise of electronic PHI have not started with the identification of “all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared that contain, store, transmit of receive PHI.”

Too often, their audit reports or initial investigation findings start with this:  “OCR has determined that the risk analysis submitted by your organization as part of its recent  response does not meet the requirement set forth at 45 CFR § 164.308(a)(1)(ii)(A).  Please review OCR’s guidance on the Security Rule’s risk analysis requirement located at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html

Now what?

  1. Download the OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” .
  2. Follow the process!  There’s a reason.  The ePHI you create, receive, maintain or transmit  will be safer, your patients/members will continue to trust you, and you’ll sleep better at night that you’re doing the right thing.
  3. Attend our May 3rd “Conversation with Former OCR Director Leon Rodriguez: What OCR Expects in Your HIPAA Risk Analysis”  Learn how to conduct an OCR-Quality Risk Analysis® and what to expect from the new administration on HIPAA, among many other things. You may learn more and register here: http://bit.ly/ClearwaterLeonRodriguez
  4. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
Series Navigation<< HIPAA Risk Analysis Tip – May 3rd Webinar with Leon Rodriguez – What OCR Expects in Your HIPAA Risk AnalysisHIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? >>
Posted in
Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI). We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Subscribe to our newsletter

Our monthly eNewsletter which includes industry articles and white papers that we’ve gathered for you. We’re confident you’ll find a nugget or two among them!

OCR-Quality Risk Analysis®

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to the Office for Civil Rights.

About Clearwater

Clearwater provides the most complete and trusted, enterprise-class cyber risk management solution available. Designed for healthcare providers and their partners, Clearwater’s IRM|Pro® platform and experienced professional services team provide insights and actions to address compliance, cyber and patient safety risks. Clearwater is a 2017 Inc. 5000 fastest-growing company, the 2018 Best in KLAS winner in Cybersecurity Advisory Services, the 2017, 2018, and 2019 Black Book Marketing Research winner in Compliance and Risk Management Solutions, and exclusively endorsed by numerous state hospital associations. Clearwater solutions have been deployed within hundreds of hospitals and health systems, Fortune 100 organizations, and federal government institutions. 

Show Buttons
Hide Buttons