Is Your Risk Analysis Thorough and Accurate?

A gap analysis does not provide a comprehensive view of security processes.

In September of 2023, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), entered into a resolution agreement with L.A. Care Health Plan. Included with the publication was the following statement from the director of OCR.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”

The Health Insurance Portability and Accountability Act (HIPAA) Rules require covered entities and their business associates to safeguard electronic protected health information (ePHI) through reasonable and appropriate security measures. One of these measures required by the Security Rule is a risk analysis, which directs covered entities and business associates to conduct a thorough and accurate assessment of the risks and vulnerabilities to ePHI (See 45 CFR § 164.308(a)(1)(ii)(A)).

In this case, and many of the corrective action plans issued by OCR, there was a failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization. Covered Entities and Business Associates must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media.

A risk analysis is not a gap analysis, which is typically a narrow examination to assess whether certain controls or safeguards required by the Security Rule have been implemented. A gap analysis provides a high-level overview of how an entity’s safeguards are implemented and shows what is incomplete or missing, but it generally does not provide a comprehensive, enterprise-wide view of the security processes.

Whether you are conducting your security risk analysis internally or outsourcing, make sure the process and content of your report meet the requirements outlined in the guidance provided by HHS.

  • Identify all assets (systems) that create, receive, maintain, or transmit ePHI.
  • Identify business associates.
  • Identify threats defined as “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
  • Identify vulnerabilities defined as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” (NIST SP 800-30)
  • Perform a gap analysis.
  • Conduct physical
  • Use the information gathered to identify risks and develop remediation
  • Formally document findings and ongoing efforts to improve security

Ready to outsource performing your security risk analysis?

Submit your contact information and request to speak with DeAnn Tucker, MHA, RHIA, CHPS, CHPC, CCS.

Additional Resources

Related Insights