This entry is part 11 of 27 in the series HIPAA Audit Tips

In case the HHS / OCR Final Guidance on Risk Analysis published in July 2010 and the May 2012 ONC Guide to Privacy and Security of Health Information were not enough to clarify the importance of and how to actually conduct a bona fide HIPAA Security Risk Analysis, the recently published OCR HIPAA HITECH audit protocols provide further insight into what is expected.  Here’s today’s big tip — Get Down On Risk Analysis Implementation Specification (at 45 CFR 164.398(a)(1)(ii)(A)) Audit Protocols…

OCR Audit Protocols – Risk Analysis

Risk analysis is a foundational step for any earnest Risk Management and/or Security Management program.  After all, without a good risk analysis, how does one understand the organization’s exposures?

The HIPAA Security Risk Analysis Standard

At § 164.308(a)(1)(ii)(A), under HIPAA Security Administrative Safeguards, the Risk Analysis Implementation Specification is stated as follows:

§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(A) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 

The OCR Audit Protocol for Risk Analysis

Key Performance Activity: 

Conduct Risk Assessment

Audit Procedures:

  • Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.
  • Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment.
  • Determine if the covered entity risk assessment has been conducted on a periodic basis.
  • Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

Bottom Line:

  1. No need to guess anymore; read the HHS / OCR Final Guidance on Risk Analysis and underlying NIST security framework.
  2. No time to wait; in addition to OCR HIPAA Audits, CMS Meaningful Use Attestations are starting; read page 27 of the ONC Guide to Privacy and Security of Health Information… False Claims Act anyone?
  3. Looking for an experience, trusted HIPAA Risk Analysis firm?; consider the Clearwater HIPAA Security Risk Analysis™ SaaS solution.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – It's Not About The Audits!HIPAA Audit Tips – OCR HIPAA Audits of Incident Reporting – Learn From CMS >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.