Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh?
Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.No wonder, the terms are often used interchangeably.
Let’s end the confusion…
Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:
1.Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”
2.Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”
3.Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.
We focus on the first two in this post because these are the ones you must complete.Both are Required by the HIPAA Security Final Rule.
A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.
As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is in 45 C.F.R. § 164.308(a)(8):
Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program.The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:
A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is also required by law to be performed by every Covered Entity and Business Associate.Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
As required by The HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.This guidance was published on July 8, 2010.No specific methodology was indicated.However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.
As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of risk, along with mitigation actions involving new safeguards or controls:
Upon completion of the Risk Analysis for all information assets, an overall Risk Analysis Project Tracking tool would be used to ensure ongoing project management of the implementation of safeguards:
So, when it comes to HIPAA Security Compliance Evaluation, think:
- Forest-level view
- Overall compliance with the HIPAA Security Final Rule
- Establishing baseline evaluation score for measuring progress
- Asking: Have we documented appropriate policies and procedures, etc?
- Asking: Are we performing against our policies and procedures?
When it comes to HIPAA Security Risk Analysis, think:
- Trees/Weeds-level view of each information asset with PHI
- Meeting a specific step in the overall compliance process
- Understanding current safeguards and controls in place
- Asking: What are our specific risks and exposures to information assets?
- Asking: What do we need to do to mitigate these risks?
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017
- HIPAA Risk Analysis Tip – May 3rd Webinar with Leon Rodriguez – What OCR Expects in Your HIPAA Risk Analysis - April 9, 2017