In a recent discussion with a practice administrator, I discovered a pretty important misconception about what should really be included in a proper HIPAA Risk Analysis. Not that the administrator was doing anything wrong but the understanding of what is a Risk Analysis was missing some very important parts.
The HIPAA Security Rule requires CEs and BAs:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]
According to Leon Rodriguez, head of the Office for Civil Rights (OCR), when asked what OCR is looking for in an audit he said
The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.
There are several publications that provide guidance on a proper Risk Analysis from HHS and OCR. I find the links below very helpful. They do reference some more detailed and complex guidelines published by NIST, also.
- OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule
- Basics of Risk Analysis and Risk Management
- Security Standards: Implementation for the Small Provider
This article is an attempt to summarize that information into some simple definitions and bullet lists. Hopefully, this will make it a bit easier to see what a proper Risk Analysis involves without having to read all those documents plus some.
Here are a few terms used in a Risk Analysis discussion that you should know
Threats – Define circumstances or events with the potential to cause problems for your business. Include human, natural and environmental threats. Think of everything from power failures and floods or fire to burglary or employee sabotage or accidents to hard drive failures on your computers. What if the country is attacked again or terrorists (foreign or domestic) attack your area; that is a potential threat in the world today. What if you come in to work and your server is off and won’t turn on or start up at all?
Vulnerability – Define the weaknesses in your facilities, policies or information systems that could be exploited if a threat actually occurs. Group them into technical and non-technical categories. Non-technical could be things like ineffective or non-existent policies, procedures or guidelines. Technical might include holes in the information systems security or improperly implemented systems.
Impact – Define how bad it would be if those things (mentioned above) did happen. Would it be a pain but just a bump in the road, or would it be devastating harm to your business. Would it damage your reputation or your equipment or your ability to treat patients?
Likelihood – Now you define how likely this is to occur and cause the impact or harm you have assessed previously.
Risk – The combination of information determined above. A very high risk item (vulnerability) would be one the is almost certain to occur (likelihood) and cause serious harm (impact) to your business. You can assign numeric values (or ranges) to define risk ratings or letter rating or simply very low to very high ratings.
- Controls – Safeguards that could be administrative, physical or technical that are put in place to control risk.
Each HIPAA Risk Analysis should contain certain elements of documentation.
To prevent this article from becoming more overwhelming, the details of the documentation can be found in our HIPAA Glossary. When you are ready for the list of elements in your Risk Analysis read this article.
Once a Risk Analysis is completed the process becomes Risk Mitigation and Management.
This list was also broken out under another article to help make things easier to absorb in small bites of information. See the explanation of Risk Mitigation and Management plans in this article.
A complete and thorough Risk Analysis (including a project plan for your compliance requirements).
There seem to be many people who believe a Risk Analysis is a checklist of questions that you answer in a spreadsheet and you are done. As you can see, there is a good deal more to the Risk Analysis recommended for HIPAA than a simple list of questions. Detailed analysis, documentation and research are required to complete the Risk Analysis as intended by the Security Rule.
One of the driving forces behind our partnership with ComplyAssistant was the search I started immediately after realizing BAs are required to do a Risk Analysis now. There is too much documentation, project management and specifics to be addressed for me to feel comfortable managing everything in a hodgepodge of documents and spreadsheets. It is almost like doing accounting and payroll today without any Quickbooks, Quicken or whatever your software choice may be. Very few people attempt to run a business today without proper accounting software. Compliance seems to be the same way now.
Complete your Risk Analysis properly and soon