Completing your analysis in accordance with the OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule
Per Section 164.308(a)(1)(ii)(A) of the HIPAA Security Rule, an organization must:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
How does an organization get started? First of all, let’s talk about the Office of Civil Rights (OCR). OCR is the enforcement arm of Health and Human Services (HHS). It is part of their responsibility to provide guidance on various aspects of the HIPAA Security Rule.
In 2010, the OCR released a publication called Guidance on Risk Analysis Requirements under the HIPAA Security Rule (see link here). This guidance covers the overall requirements of completing a Security Risk Analysis (SRA) under the HIPAA Security Rule, important definitions, and nine elements that must be included in the assessment and documentation. Even though this guidance has been around for years, we often find that organizations are unaware of its existence. We also see a lot of SRA reports that do not cover the basic elements from this guidance.
It is critical that organizations understand these essential components in order execute an assessment that meets OCR expectations. Below is a high-level overview of the nine elements that can be found in the guidance.
- Scope the analysis. Organizations must make sure their SRA includes relevant risks and vulnerabilities to the confidentiality, availability, and integrity of all e-PHI that an organization creates, receives, maintains, or transmits.
- Collect the data. Organizations must identify all locations where e-PHI is stored, received, maintained, or transmitted. This is a point of emphasis for the OCR, and an item that I will address in more detail in a future post.
- Identify and document potential threats and vulnerabilities.Organizations must identify and document all reasonably anticipated threats to e-PHI that is being stored, received, maintained, or transmitted.
- Assess current security measures.Organizations should assess the controls (i.e. security measures) that have been implemented to reduce the likelihood and impact of threats identified in item three above.
- Determine the likelihood of threat occurrence.For all of the threats identified per number three above, an organization must determine the likelihood (probability) of the threat occurring. It is ideal if both the inherent (before controls) and residual (after controls) likelihood is determined for each threat.
- Determine the potential impact of threat occurrence.For all of the threats identified per number three above, an organization must determine the potential impact (consequences) should the threat actually occur. Again, it is ideal if both the inherent (before controls) and residual (after controls) impact is determined for each threat.
- Determine the level of risk.The level of risk for each threat is determined by taking the likelihood of occurrence and multiplying it by the potential impact. As with five and six above, it is ideal if both the inherent (before controls) and residual (after controls) risk is determined for each threat. Once the overall risk level is identified for each threat, an organization should prepare written action plans for threats with the highest residual risk.
- Finalize documentation.An SRA must be documented and include all elements listed above.
- Periodically review and update the risk assessment.An SRA should be an ongoing process. Even though the HIPAA Security Rule does not specify a frequency, we highly recommend the analysis be updated annually or whenever new technologies or business processes are planned. This is another item that I will explore further in a future post.
As an additional note, this OCR guidance draws heavily from NIST Special Publication 800-30 (Guidefor Conducting Risk Assessments) and is another valuable tool for understanding basic risk assessment methodology.
Knowing these key elements is a great first step but applying them is not always easy. WaveFire has built a platform with all nine of these elements baked in, making it the easiest and fastest way to complete an OCR-ready SRA for your organization. If you are interested in learning more about our platform or are concerned about your organization’s current state of HIPAA compliance, we can help. We invite you to contact us at firstname.lastname@example.org or 877-583-2477.