HIPAA Risk Analysis vs. Risk Assessment
by Dr. Jeff Brown
Many HIPAA vendors are putting you in jeopardy because they think a risk assessment equals a HIPAA risk analysis.
In a cybersecurity newsletter dated April 2018, The Office of Civil Rights (OCR, the "HIPAA Police") clarified the distinction between a Risk Analysis and a risk assessment.
This is very important because it signals that the OCR, who is tasked with enforcing the HIPAA rules, is acutely aware healthcare providers, business associates, and HIPAA consulting services still don’t understand the Risk Analysis requirement.
For too long, consultants and software vendors have been promoting a risk assessment in lieu of a Risk Analysis. While the two terms sound similar, they are completely different activities.
A Risk Analysis is required and considered the foundation of your HIPAA compliance efforts. On the other hand, a risk assessment is merely a "gap analysis" and is not required at all.
Moreover, performing a risk assessment can create unwanted legal ramifications in the event you are audited or face court proceedings. Yikes!
Why the confusion?
The government is party to blame because throughout HIPAA literature, the term "assessment" is used in the context of a performing a Risk Analysis. Furthermore, HealthIT.gov created a Security Risk Assessment Tool available as a free download to help offices self-assess their compliance with the HIPAA.
Unfortunately, providers and consultants alike incorrectly assume the free tool equates to a bonafide Risk Analysis. It is alarming how many HIPAA software vendors simply enhance the tool and then turn around and sell it as if it were a true Risk Analysis, putting countless offices at risk.
The recently published newsletter by the OCR attempts to remove the confusion by clarifying the Risk Analysis and risk assessment definitions.
Risk Analysis: Comprehensive evaluation of a covered entity or business associate’s enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level.
Risk Assessment (a.k.a. Gap Analysis): A narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis.
Immediately determine whether your HIPAA consultant or software vendor is having you complete a risk assessment or a bonafide Risk Analysis. Specifically ask to see your annual Risk Analysis report. If they produce a colorful spreadsheet-style report with risk ratings derived from a bunch of Yes/No questions related to numerous HIPAA safeguards, then you are looking at a risk assessment.
What you want to see, is a report that includes the following sections:
- List of workforce and business associates
- Your ePHI Inventory
- Threats and vulnerabilities specific to your office
- Current security measures to protect against identified threat-vulnerability combinations
- Likelihood, impact, and risk scores for each threat-vulnerability combination
- Security measures not currently in place that could reduce your risk
If you find you've been completing a risk assessment instead of a HIPAA Risk Analysis, ask your vendor to help you perform a true Risk Analysis. If your consultant or software vendor won't, or can't, help you, then it's time to pick a new HIPAA helper ASAP.
If you are inclined to delve deeper into this topic, here is an excellent attorney written article on the topic; pay particular attention to the PDF download.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.