According to legal experts, David Gacioch and Edward Zacharias of McDermott Will & Emery, widespread confusion surrounding the Office of Civil Rights’ (OCR) HIPAA risk analysis requirements under the HIPAA Security Rule is still persistent in the healthcare industry. They noted that the failure to perform adequate risk analysis was one of the most common alleged HIPAA violations, which appeared in half of the settlements from 2017 to 2018, and OCR announced nearly $1million-plus settlements reached during this period.
Under the Security Rule, a HIPAA risk analysis is defined as the thorough and accurate assessment of the potential risks and vulnerabilities to the integrity, confidentiality, and availability of the electronically protected health information (ePHI) possessed by the covered entities or business associates.
Furthermore, in an interview, Zacharias said that there is a lack of proper education about what constitutes a HIPAA risk analysis from the government’s perspective. Another source of confusion is that people often tend to mix up HIPAA risk analysis with risk assessments, which are often used interchangeably. In OCR’s guidance under the HIPAA Security Rule, the office provided a HIPAA risk assessment tool for conducting a HIPAA risk analysis. This is often the main source of confusion. Also, risk assessments that are required under the HIPAA Breach Notification rule, have a very different meaning than the term risk analysis, required under the HIPAA Security Rule.
Nine elements of a HIPAA Risk Analysis
OCR, in its guidance, has laid out nine key elements that must be included in a risk analysis procedure:
- Scope of analysis
For HIPAA risk analysis, organizations that create, receive, and maintain all ePHI in any form and/or location must account for potential risks and vulnerabilities to the integrity, confidentiality, and availability of it.
- Data Collection
By reviewing past and/or existing projects, performing interviews, reviewing documentation, and using other data collection methods, organizations must identify where the ePHI is being stored, received, and maintained.
- Potential threats and vulnerabilities must be identified and documented
Identification and documentation of anticipated threats to ePHI are crucial for all aspects of HIPAA compliance. HIPAA risk analysis is important because vulnerabilities if triggered or exploited by a threat, can create a risk of inappropriate access and misuse of ePHI.
- Assessing current security measures
Security measures that are required to be implemented by organizations must be assessed and documented as well. Through a HIPAA risk analysis, organizations need to measure the security protocols required by the Security Rule that are already in place, and if the security measures are properly configured and used.
- Determining the possibility of threat occurrence
This process comes after identifying the threats. Organizations must examine the probability of potential risks to ePHI and make documentation of all combinations of threats and vulnerabilities with associated likelihood estimates that can affect the confidentiality, integrity, and availability of ePHI.
- Determining the potential impact of threat occurrence
Organizations need to assess and maintain documentation of the level of the potential impact that can result from threats when vulnerabilities are triggered or exploited and to what extent it can affect the confidentiality, integrity, and availability of ePHI.
- Determining the level of risks
Organizations need to identify and assign the risk levels of all combinations of the threats and vulnerabilities during a HIPAA risk analysis. The magnitude of the risk can be determined by analyzing the values to the assigned probability of threat occurrence and the resulting impact of threat occurrence. Furthermore, organizations need to document the assigned level of risks and make a list of corrective actions to be conducted to mitigate each level of risk.
- Finalizing documents
Although there isn’t any specific format, organizations are required to make a documentation of the HIPAA risk analysis. The documentation of a risk analysis is a direct input to the risk management process.
- Conducting reviews periodically and updates to the risk analysis
Although the Security Rule does not specify how frequently risk analysis should be performed, organizations still must continuously perform a HIPAA risk analysis to identify if updates are needed. The frequency of conducting risk analysis will vary among the covered entities depending on their organization’s size and practice.
Simplify administrative burden with HIPAA Ready
HIPAA Ready offers HIPAA compliance solutions for all sizes of organizations that are required to comply with HIPAA. This robust cloud-based software allows organizations to easily store and maintain all necessary documents and simplify training management that is crucial for better educating all the employees regarding HIPAA’s rules and regulations. With HIPAAReady, users will be able to have a clear view of the HIPAA policies and procedures, and updates that are required for HIPAA compliance. Moreover, HIPAAReady’s dashboard is an easy to use platform that includes the process of assessing and identifying potential threats and vulnerabilities within the organization. With HIPAAReady, conducting reviews periodically and all aspects of the HIPAA compliance tasks becomes simple.