Invariably, in our Live Web Events, we are asked something along the lines: can we just do the Risk Analysis on our EHR system (and not on other systems/media/applications that handle ePHI)?  Here’s today’s big tip – NO!  And, in the words of OCR attorneys at the recent NIST-OCR HIPAA Secuity summit in DC, organizations that narrow the interpretation down to an EHR-only scope are doing themselves a huge disservice.


The HHS/OCR Final Guidance on Risk Analysis is clear in stating that to meet the requirements of the HIPAA Security Final Rule implementation specification (45 C.F.R. § 164.308(a)(1)(ii)(A) the Scope of the Analysis must include all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis.

Some will argue that that the Meangingful Use Stage 1 Objectives narrow the requirement to the EHR/EMR system only.  Eligible Hospital (EH) and Critical Access Hospital (CAH) Meaningful Use Core Measure 14 of 14 and Eligible Provider (EP) Meaningful Use Core Measure 15 of 15, after all states the following:

  • Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
  • Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
  • Exclusion: No Exclusion

The “trouble” arises with the highlighted statement, I suppose.  That is, one could argue if one were focused on checking off the Meanignful Use box (Measure 14 or 15) that the requirement was restricted to the EHR system.

However, EHs, CAHs and EPs were to have met the broader HIPAA Security Risk Analysis requirement long ago — as of April 2005 — and to have updated it periodically since then.  Why try to wiggle out of the requirement in 2011??

For me, it’s clear… Get the full Risk Analysis done.  And, do it right… according to the HHS/OCR Final Guidance on Risk AnalysisYou may wish to view our post on the 9 Essential Elements of a HIPAA Security Risk Analysis.

A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))!  We explained the difference in a prior post.

In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications.  We have assembled many useful documents, tools and resources related to Risk Analysis on our site at:  Please feel free to use and enjoy them!

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Implementation SpecificationHIPAA Security Risk Analysis Tips – Big Picture >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.