You would think the requirement to complete a bona fide HIPAA Security Risk Analysis was a news flash and, the way some executives are behaving, a request for their first-born child.  The HIPAA Security Risk Analysis requirement (at 45 CFR 164.308(a)(1)(ii)(A) has existed since April 14, 2003.  This foundational requirement for any good information security program is being cited weekly, if not daily, in government guidance and publications and HHS Resolution Agreements/Corrective Action Plans.  An explicit Risk Analysis audit procedure has been published as well. Here’s today’s big tip — Catch up on the latest citations to complete a real HIPAA Security Risk Analysis.  


HIPAA Security Risk Analysis Tips – Get ‘er Done!


About two years ago (July 2010), HHS / OCR published its “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” relies on the NIST Security framework and specifically NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT.  According to both documents and NIST SP800-30,

“A Risk Analysis is the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system.  Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. “

“Risk analysis” (aka risk assessment) is popping up all over the place.  Risk Analysis was not invented by or for the healthcare industry.  Performing one the right way, and not just checking the box, is a foundational step for any organization serious about its security management program.  In the May 2011 Nationwide Rollup Review Of The Centers For Medicare & Medicaid Services Health Insurance Portability And Accountability Act Of 1996 Oversight, OIG in performing  its audit of CMS’ HIPAA Security enforcement responsibilities cited: “Incomplete Risk Assessments” and “No Risk Analysis Policies and Procedures” in several hospitals.

In healthcare, we are seeing a “call to arms” to complete a risk analysis.  Following are some of the more recent “mentions”:

HHS/OCR Risk Analysis Failures / Citations

  • HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards – “…Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis”
  • Alaska settles HIPAA security case for $1,700,000 –“As a result of its investigation, OCR determined that DHSS had not … completed a risk analysis (See 45 C.F.R. § 164.308(a)(1)(ii)(A)); …”
  • HHS settles HIPAA case with BCBST for $1.5 million – “…by not performing the required security evaluation …” “The Policies and Procedures shall include…The conduct of a risk assessment…”
  • University of California settles HIPAA Privacy and Security case involving UCLA Health System facilities – “Covered Entity failed to implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information”

Bottom Line:  if you have not or are not embracing a robust methodology that follows, HHS/OCR and NIST guidance, you may be in big trouble with both OCR (Security, Privacy and Breach Rule enforcers) AND CMS which operates the Meaningful Use EHR Incentive Program and will perform audits on attestations.

HHS/OCR Audit Process and Protocols

  • OCR Random Audit Documentation Request List  – “Administrative Safeguards Entity-level Risk Assessment”
  • OCR Audit Procedures for Risk Analysis
    • Inquire of management as to whether formal or informal policies or practices exist…
    • Obtain and review relevant documentation and evaluate the content …
    • Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment.
    • Determine if the covered entity risk assessment has been conducted on a periodic basis.
    • Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group:
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.