It’s not surprising that there is confusion surrounding the term, and how it differs to a HIPAA Risk Analysis or HIPAA Security Assessment. In fact, the answer you get will largely depend on who you ask. So is there a difference? We look at how these terms are used and what is generally being referred to when someone uses the term HIPAA risk assessment.
What is a HIPAA Risk Assessment?
First, let me point out that too many organizations have a fluid and interchangable usage of the terms “assessment” and “analysis” in relation to HIPAA compliance requirements. Throw in the terms “risk” and “security” and you start to see combinations that obscure all clarity around these key requirements!
For example, HealthIT.gov refers to a “Security Risk Assessment.”
Generally speaking, when the term “HIPAA risk assessment” is used it tends to refer to what is defined within the regulation as a HIPAA Risk Analysis:
HIPAA Risk Analysis
As required by the HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A).
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a)
Yet despite the technical use of HIPAA Risk Analysis within the regulation itself, even HHS named their downloadable guide the “Security Risk Assessment Tool.” (On that note, be wary that this tool does not constitute a complete Risk Analysis as required by the HIPAA Security Rule!)
We present a great free webinar that clarifies the difference between a HIPAA Risk Analysis and a HIPAA Security Assessment. You might also be interested in the Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
HIPAA Risk Assessment Solutions
Semantics aside, we offer robust, clear solutions to help your organization meet the requirements laid out by the HIPAA-HITECH Rules.
Our HIPAA Risk Analysis Workshop pairs a complete HIPAA Risk Analysis with a subscription to our IRM|Analysis software, giving you a total solution that not only helps you to get and remain compliant, but reduces your future compliance costs.
For more information about these services, please contact our team.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.