The HIPAA risk analysis is a fundamental component of HIPAA compliance, but a lot of healthcare agencies and business associates fail to get risk analyses right. Many of the financial penalties for noncompliance with HIPAA Rules have been issued for the failure to conduct a comprehensive, organization-wide risk analysis.
What is a HIPAA Risk Analysis?
45 C.F.R. § 164.308(u)(1)(ii)(A) or the HIPAA Security Rule’s administrative safeguards, call for all HIPAA-covered entities to carry out a comprehensive evaluation of risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI).
The risk analysis is a required element of HIPAA compliance and is the first step that is necessary to comply with standards and requirements of the HIPAA Security Rule. Without a complete risk analysis, risks are likely to remain undetected and will therefore not be reduced to an acceptable level, as is required by the 45 C.F.R § 164.306 (a).
A HIPAA risk analysis is additionally required to find out if it is reasonable and appropriate to use encryption or whether alternative safeguards will suffice – See 45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii). A risk analysis serves as a guide for organizations on their authentication requirements – 45 C.F.R. § 164.312(c)(2) – and strategies for protecting ePHI in transit – 45 C.F.R. § 164.312(c)(2).
A risk analysis is necessary for HIPAA compliance, but there is no detailed explanation regarding the requirements of a risk analysis or the method to be used in HIPAA. That is because one method of risk analysis will not fit all organizations. Similarly, there are no specific best practices that will guarantee compliance with this aspect of the HIPAA Security Rule.
The requirements of a HIPAA risk analysis are detailed on the HHS website – and can be downloaded here. Additional information in the NIST Risk Management Guide for Information Technology Systems, which covers risk analyses is available here.
A Security Risk Assessment Tool to Guide HIPAA-Covered Entities Through a HIPAA Risk Analysis
Conducting HIPAA-compliant risk analyses can be a difficult. To make it easier, the HHS’ Office of the National Coordinator for Health Information Technology (ONC), in cooperation with the Office for Civil Rights, has created a security risk assessment tool to guide HIPAA-covered entities through the process.
Healthcare organizations can input information to generate a report that provides information on risks in policies, processes and systems and offers help mitigating potential weaknesses. The tool was updated to version 3.0 on October 15, 2018.
The updated tool is easier to use and more applicable to the risks of the integrity, confidentiality, and availability of health data. The tool outlines HIPAA Security Rule safety measures and has improved functionality to record how your organization implements safeguards to offset identified risks.
The new features of the updated tool include a better user interface, a modular workflow, customized assessment logic, a development tracker, threat and vulnerability scores, detailed reports, tracking reports, a business associate monitor, and a number of upgrades to enhance the user experience.
Using the tool does not ensure that an organization is in compliance with HIPAA, federal, state, or local regulations, but it does serve as a very useful guide for HIPAA-covered entities and business associates. The tool can downloaded from the HealthIT.gov website.