In a cybersecurity newsletter dated April 2018, the The Office of Civil Rights (OCR) clarified the distinction between a Risk Analysis and a risk assessment. This is very important because it signals that the OCR, who is tasked with enforcing the HIPAA rules, is acutely aware healthcare providers, business associates, and HIPAA consulting services still don’t understand the Risk Analysis requirement.
For too long, consultants and software vendors have been promoting a risk assessment in lieu of a Risk Analysis. While the two terms sound similar, they are completely different activities. A Risk Analysis is required and considered the foundation of your HIPAA compliance efforts. On the other hand, a risk assessment is merely a "gap analysis" and is not required at all.
Moreover, performing a risk assessment can create unwanted legal ramifications in the event you are audited or face court proceedings. Yikes!
Why the Risk Analysis confusion?
The government is party to blame because throughout HIPAA literature, the term "assessment" is occasionally used in the context of a performing a Risk Analysis. Furthermore, HealthIT.gov created a Security Risk Assessment Tool available as a free download to help offices self-assess their compliance with the HIPAA.
Unfortunately, providers and consultants alike incorrectly assume the free tool equates to a bonafide Risk Analysis. It is alarming how many HIPAA software vendors simply enhance the tool and turn around and sell it as if it were a true Risk Analysis, putting countless offices at risk.
Risk Analysis and Assessment defined
The recently published newsletter by the OCR attempts to remove the confusion by clarifying the Risk Analysis and risk assessment definitions.
Risk Analysis: Comprehensive evaluation of a covered entity or business associate’s enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level.
Risk Assessment (a.k.a. "Gap Analysis"): A narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis.
Ask your HIPAA consultant
Immediately determine whether your HIPAA consultant or software vendor is having you complete a risk assessment or a bonafide Risk Analysis. Specifically ask to see your annual Risk Analysis report. If what they produce is a colorful spreadsheet-style report with risk ratings derived from a bunch of Yes/No questions related to numerous HIPAA safeguards, then you are looking at a risk assessment—this is bad, and your HIPAA helper is a wolf!
What you want to see is a report that includes the following sections:
- List of workforce and business associates
- ePHI inventory
- Threats and vulnerabilities specific to your office
- Current security measures to protect against identified threat-vulnerability combinations
- Likelihood, impact, and risk scores for each threat-vulnerability combination
- Security measures not currently in place that could reduce your risk
If you find you've been completing a risk assessment instead of a HIPAA Risk Analysis, ask the wolf to help you perform a true Risk Analysis. For whatever reason, if your consultant or software vendor won't or can't help you, then it's time to pick a new HIPAA helper ASAP.
If you are inclined to delve deeper into this topic, here is an excellent attorney written article on the topic; pay particular attention to the PDF download.