FAQ – Risk Analysis, Risk Assessments

How important is risk analysis?

The HIPAA Security Rule is flexible, scalable, and technology-neutral making it open for interpretation. How important is it to conduct a risk analysis? Here is a clue: The words “risk analysis” are used 36 times in the HIPAA Security Rule Preamble. The risk analysis is the foundation of your security program. The types of security controls and how a covered entity approaches addressable implementation specifications are based upon the risk analysis.

The PCI Data Security Standard states: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.

Regardless of the size, single physician practice or a 1,000-bed hospital, each organization is required to comply with HITECH and the HIPAA Security Rule. The Rule requires a risk analysis of all applications and systems, including biomedical devices, to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information (PHI).

We have completed a HIPAA assessment. Are we in compliance with the risk analysis mandate? 

The HIPAA Security Rule and many of the tools available for “HIPAA Assessments” do not mention such words as hacking, cyber-attack, cybersecurity, ransomware, phishing, cloud, file sharing, smartphones, etc. This is because the original HIPAA Security Rule was written in August of 1998 – 22 years ago when many of the technologies and issues we are dealing with today didn’t even exist! Since 1998, there have only been two minor revisions to the HIPAA Security Rule. Beyond HIPAA, other confidential information vital to the organization also needs to be protected.

A risk analysis is a systematic and ongoing process of identifying threats, controls, vulnerabilities, likelihood (or probability), impact, and an overall rating of the risk. If any of these steps (words) are missing – it’s not a risk analysis. Risk analysis is a snapshot in time. It is not a precise science or a once a year event. Rather, it is a journey, an ongoing process.

On February 12, 2019, Roger Severino, Director, HHS Office for Civil Rights at HIMSS 2019 described recent HIPAA enforcement actions and cited a recurring pattern of risk analysis noncompliance. The most recent fine (March 2020) was for a single practitioner. A key finding was an incomplete risk analysis. The HIPAA Security Rule requires a risk analysis of all applications and systems, to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The number one citation with a corrective action plan and fines from the Office for Civil Rights is a failure to complete an enterprise risk analysis.

Are there any COVID-19, OCR special considerations?

The Novel Coronavirus (2019-nCoV) pandemic has impacted almost every aspect of our business and personal lives. Privacy and security are no exception. Telehealth/telemedicine and telecommuting have become part of the new normal in the last four months.

On March 17, the OCR stated that it will exercise its enforcement discretion and will waive potential penalties for HIPAA violations that apply to widely available communications apps when used in good faith for any telehealth treatment or diagnostic purpose. On further clarification, “acting in good faith” is the equivalent of conducting a risk analysis on the telecommunication vendor application to identify the impacts, likelihood, and overall risk scoring of identified threats, controls, and vulnerabilities.

Contact tw-Security to help you with your risk analysis efforts. The mandated risk analysis is more than the EHR/EMR application.