Is Your Organization Using the Right Framework to Guide HIPAA Risk Analysis?

Size doesn’t matter when it comes to risk analysis. But the standards you follow surely do.

At a recent Clearwater HIPAA-HITECH Blue Ribbon Panel (BRP), Feisal Nanji, executive director of Techumen, emphasized that demographic differences, such as the size of a healthcare organization, have little to do with how the company should approach a security risk analysis under HIPAA-HITECH. “There really should not be any variance on your approach,” he said. “Of course a large hospital will have different needs when it comes to risk management compared to a small medical practice, but there’s really only one way to correctly analyze and assess the risk.”

Based on this insight, it is very important for a covered entity or business associate to have an accurate and comprehensive framework driving privacy and security risk analysis activities. While the Office for Civil Rights doesn’t provide specific recommendations for the appropriate process, federal standards and industry best practices point to one methodology offering a straighter line to compliance than others.

Fundamentally, it would be difficult for the agency to find fault with risk analysis initiatives using the NIST framework. After all, NIST (National Institute of Standards and Technology) is the official source of guidance on this topic for federal agencies.

Our BRP experts of privacy and security experts agree NIST standards are comprehensive and concrete, and far outperform other frameworks in the market. In particular, NIST has proven much more specific than the HITRUST Common Security Framework. Nanji suggests that HITRUST has several flaws, including the lack of a repeatable process. Additionally, HITRUST has traditionally been a security framework and only last year added risk analysis to the mix.

One way to know if you are doing risk analysis the right way is that the outcome of a legitimate risk analysis will be a risk rating report or register. If the tool you are using doesn’t produce these deliverables, you aren’t doing it right. It’s that simple.

Fellow BRP expert John Christiansen, principal of Christiansen IT Law, says most organizations aren’t being as comprehensive in their risk analyses, and resulting risk management programs, as OCR expects. He suggests organizations have a tendency to see what they can get by with, and do the bare minimum required. Knowing OCR is on the lookout for this kind of approach to risk, it becomes even more critical to rely on a framework that forces the organization to take the long view.

Are your risk analysis efforts set on a solid foundation? Will the risk analysis you’ve conducted hold up to scrutiny from OCR? If you’re unsure, you can continue learning about the right way to tackle risk analysis and risk management, as explained by the HIPAA-HITECH Blue Ribbon Panel, by clicking here.




Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.