This entry is part 47 of 60 in the series HIPAA Security Risk Analysis Tips

HIPAA Risk Analysis Tip – New HHS Risk Assessment Tool – Much Ado About Nothing

When I first heard the news… GREAT! … I was genuinely excited when I heard the HHS finally published the Security Risk Assessment tool on which ONC and OCR apparently collaborated to produce.  Here’s what I wrote to several colleagues, value-added resellers and customers:

Yea!! We’re feeling like Apple did, when in 1982, IBM decided that personal computers were real and built their first clunky one. In 1982, IBM ‘sanctified’ the personal computer market.  We’re now feeling validated about our risk analysis software and other compliance software

That is, as in many other industries and functional areas, the world has come to realize that processes can be significantly improved and matured with software. The manner in which risk analysis (and, risk management overall) work is performed is long overdue to make a move from ‘arts & crafts’ to more ‘science and engineering’. For decades, we’ve benefitted from Computer-Aided Manufacturing (CAM), Computer-Aided Design (CAD), Computer-Aided Software Engineering (CASE), etc.

We applaud HHS for recognizing this need and validating the notion of Computer-Aided Risk Management (CARM).

Then, I downloaded the iPad version and tested the tool… YIKES! … we’ll still take the validation that there’s need for CARM.  However, proceed with caution.

Today’s big RISK ANALYSIS TIP – Be Very Careful; Download and Test this Tool Carefully – It Does NOT Facilitate a Bona Fide Risk Analysis

HHS SRA is more of a compliance gap assessmentWhile the HHS Security Risk Assessment tool does provide some software, here are few specific cautionary notes:

  1. By design, it is intended “to help guide health care providers in small to medium sized offices” not larger organizations;
  2. The tool presents a series of questions that appear to be more suitable to the non-technical compliance evaluation required at 45 CFR §164.308(a)(8).  That is a good thing and is required!  But, it is not the same as the Risk Analysis required at 45 CFR §164.308(a)(1)(ii)(A).  Learn more about the critical difference between a HIPAA compliance evaluation and risk analysis in this free webinar.
  3. It comes with several disclaimers, among them:
    1. The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”
    2. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. 
    3. NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management.

    4. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

  4. It does not follow HHS’ own “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” published in July, 2010;
  5. In addition to not following HHS’ Risk Analysis Guidance, it does not consider as required inputs nor produce as standard outputs elements that indicate a bona fide risk analysis has been conducted:
    1. Incomplete treatment of information asset inventory, threat identification, vulnerability analysis, assessment of current controls, etc.
    2. It does not produce the most basic risk analysis output – a risk register or risk rating report.
  6. I was at first concerned about how in this software tables of threats, vulnerabilities and controls would be regularly updated given all organizations’ changing threat surface.  This maintenance matter turns out not to be an issue as no consideration is given to threats, vulnerabilities and controls at a detailed level.

The HHS Security Risk Assessment tool is an interesting work product.  Please be very careful.

Importance of a Rigorous HIPAA Risk Analysis 

riskanalysis-product2Failure to meet the HIPAA Security Risk Analysis requirement at 45 CFR §164.308(a)(1)(ii)(A) will likely result in violations of the HIPAA Security Rule[1], the Meaningful Use Stage 1 Final Rule[2] and the Meaningful Use Stage 2 Final Rule[3].  Violations of these regulations carry significant penalties under the new Civil Monetary Penalty (CMP) system.

In attesting to completion of the risk analysis requirement for Meaningful Use Stage 1 or Stage 2, organizations also face a more serious liability risk.  In the ONC Guide to Privacy and Security of Health Information[4], the Office of the National Coordinator (ONC) admonishes:

When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Providers participating in the EHR Incentive Program can be audited.

If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim. From this perspective, consider implementing multiple security measures as feasible, prior to attesting. The priority would be mitigating high-impact and high likelihood risks.

The False Claims Act[5] carries significant consequences for organizations that knowingly submit a false claim to the government.  With the commencement of both pre-payment audits along with the post-payment audits provided by CMS[6], it is likely that there will be adverse findings and grounds for filings under the False Claims Act for some hospitals and providers in 2014, given the early results of CMS MU audits and OCR HIPAA enforcement actions.

It is very important to note that while the focus of the Meaningful Use risk analysis requirement is on the Electronic Health Record (EHR) systems, Covered Entities (and Business Associates alike) are required under the HIPAA Security Rule to complete this risk analysis for all information assets and media that create, receive, maintain or transmit ePHI. 

HIPAA Risk Analysis Resources Available to You

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< New Study Estimates Data breaches Cost the Healthcare Industry $5.6 billion AnnuallyHIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.