In Chapter 2, page 11 of the recently published ONC Guide to Privacy and Security of Health Information, the guide debunks most of the “misinformation making the rounds” about a security risk analysis.  Learn what a real risk analysis is and is not.  Here’s today’s big tip – Read the ONC Guide – Don’t Get Hoodwinked By the Charlatans Claiming to be Doing Risk Analyses.  


HIPAA Security Risk Analysis Tips – – Check Out ONC Guide to Privacy and Security of Health Information

In a recent post entitled “HIPAA Security Risk Analysis Tips – How to Conduct a BONA FIDE Risk Analysis”, we referenced fear, uncertainty, doubt and misinformation (FUDM) swirling around the matter of comprises a real, bona fide risk analysis as called for in the HIPAA Security Rule at 45 C.F.R. § 164.308(a)(1)(ii)(A).

In May, in it’s ONC Guide to Privacy and Security of Health Information, ONC focuses on helping medical practices through Meaningful Use Stage I Attestation requirements around privacy and security.  However, there’s something for organizations of all sizes in this document.  Not only does the guide provide great information about privacy and security in general, it thoroughly covers the subject of a what constitutes a legitimate risk analysis.  The phrase “Risk Analysis” occurs over 90 times.  It seems like they’re trying to make a point!! Risk Analysis is a foundational step in any security program, not to mention a requirement for Meaningful Use Attestation and HIPAA compliance.

The following table on “Security Risk Analysis Myths and Facts” is excerpted from the ONC guide.



The security risk analysis is optional for
small providers.
False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive HER incentive payments must conduct a risk analysis.
Simply installing a certified EHR fulfills
the security risk analysis MU requirement.
False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
My EHR vendor took care of everything I need
to do about privacy and security.
False.Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
I have to outsource the security risk analysis. False. It is possible for small practices to do risk analysis themselves using self-help tools such as the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology’s (ONC) risk analysis tool. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
The security risk analysis is optional for small providers. False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive HER incentive payments must conduct a risk analysis.
A checklist will suffice for the risk analysis requirement. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
There is a specific risk analysis method that I must follow. False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
My security risk analysis only needs to look at
my EHR.
False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.
I only need to do a risk analysis once. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see this link.
Before I attest for an EHR incentive program, I must fully mitigate all risks. False. The EHR incentive program requires addressing any deficiencies identified during the risk analysis during the reporting period.
Each year, I’ll have to completely redo my
security risk analysis.
False.Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.


To learn how to complete your Risk Analysis according to ONC, HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis™ Video Overview.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group:
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.