Invariably, in our Live Web Events, we are asked something along the lines: can we just do the Risk Analysis on our EHR system (and not on other systems/media/applications that handle ePHI)? Here’s today’s big tip – NO! And, in the words of OCR attorneys at the recent NIST-OCR HIPAA Secuity summit in DC, organizations that narrow the interpretation down to an EHR-only scope are doing themselves a huge disservice.
The HHS/OCR Final Guidance on Risk Analysis is clear in stating that to meet the requirements of the HIPAA Security Final Rule implementation specification (45 C.F.R. § 164.308(a)(1)(ii)(A) the Scope of the Analysis must include all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis.
Some will argue that that the Meangingful Use Stage 1 Objectives narrow the requirement to the EHR/EMR system only. Eligible Hospital (EH) and Critical Access Hospital (CAH) Meaningful Use Core Measure 14 of 14 and Eligible Provider (EP) Meaningful Use Core Measure 15 of 15, after all states the following:
- Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
- Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
- Exclusion: No Exclusion
The “trouble” arises with the highlighted statement, I suppose. That is, one could argue if one were focused on checking off the Meanignful Use box (Measure 14 or 15) that the requirement was restricted to the EHR system.
However, EHs, CAHs and EPs were to have met the broader HIPAA Security Risk Analysis requirement long ago — as of April 2005 — and to have updated it periodically since then. Why try to wiggle out of the requirement in 2011??
For me, it’s clear… Get the full Risk Analysis done. And, do it right… according to the HHS/OCR Final Guidance on Risk Analysis . You may wish to view our post on the 9 Essential Elements of a HIPAA Security Risk Analysis.
A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))! We explained the difference in a prior post.
In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. We have assembled many useful documents, tools and resources related to Risk Analysis on our site at: http://clearwaterc.wpengine.com/hipaa-hitech-resources/hipaa-risk-analysis-resources/ Please feel free to use and enjoy them!
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017