The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules require covered entities and their business associates to safeguard electronic protected health information (ePHI) through reasonable and appropriate security measures. The HIPAA Security Rule (45 CFR § 164.308(a)(1)(ii)(A)) directs covered entities and business associates to conduct a thorough and accurate analysis of the risks and vulnerabilities to ePHI. Conducting a risk analysis is the first step in identifying and implementing controls and safeguards that could ensure the confidentiality, integrity, and availability of ePHI.
But beware. Often, covered entities will engage with an IT security vendor that will deliver a final report labeled “HIPAA Risk Analysis” when in fact the report is only a gap analysis of security controls and safeguards. This is not the same thing as the required HIPAA risk analysis.
Here’s the difference:
HIPAA Risk Analysis: The purpose of a HIPAA risk analysis is to inform decision makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations; (iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur. The risk analysis is then used to make appropriate modifications to the ePHI system(s) to reduce these risks to a reasonable and appropriate level.
The HIPAA Security Rule does not require a specific methodology to analyze the risks to ePHI, nor does it require risk analysis documentation to be in a specific format. However, there are certain elements common to a risk analysis that should be incorporated into an entity’s HIPAA risk analysis process. Per guidance from the Office of Civil Rights (OCR) and the National Institute for Standards and Technology (NIST), these elements may include:
The risk analysis should consider the potential risks, threats and vulnerabilities to all of the covered entity’s ePHI, regardless of the particular electronic medium in which it is created, received, maintained, or transmitted, including the source or location of its ePHI.
- Data Collection
When considering the potential risks to their ePHI, entities should identify all of the locations and information systems where ePHI is created, received, maintained, or transmitted. Such an inventory should consider not only workstations and servers, but also applications, mobile devices, electronic media, communications equipment, and networks as well as physical locations.
- Identify and Document Potential Threats and Vulnerabilities
Be sure to identify technical and non-technical vulnerabilities. Technical vulnerabilities can include holes, flaws, or weaknesses in information systems; or incorrectly implemented and/or configured information systems.
- Assess Current Security Measures
Assess and document the effectiveness of current controls, for example the use of encryption and anti-malware solutions, or the implementation of patch management processes.
- Determine the Likelihood and Potential Impact of Threat Occurrence
Determine and document the likelihood that a particular threat will trigger or exploit a particular vulnerability as well as the impact if a vulnerability is triggered or exploited.
- Determine the Level of Risk
Analyze and assign risk levels for the threat and vulnerability combinations identified by the risk analysis. Determining risk levels informs entities where the greatest risk lies, so entities can appropriately prioritize resources to reduce those risks.
Although the HIPAA Security Rule does not specify a form or format for risk analysis documentation, such documentation should contain sufficient detail to demonstrate that an entity’s risk analysis was conducted in an accurate and thorough manner. If a covered entity or business associate submits a risk analysis lacking sufficient detail in response to an OCR audit or enforcement activity, additional documentation may be required to demonstrate that the risk analysis was in fact conducted in an accurate and thorough manner.
- Review and Update
Conducting a risk analysis is an ongoing process that should be reviewed and updated regularly within an entity’s risk management process.
Gap Analysis: A gap analysis is not required by the HIPAA Security Rule. Although it is a partial assessment of an entity’s enterprise, it may be a useful tool to identify whether certain controls and safeguards specified in the HIPAA Security Rule are met. A gap analysis is typically a narrowed evaluation of a covered entity or business associate’s enterprise to determine whether certain controls or safeguards required by the HIPAA Security Rule are implemented or not.
A gap analysis generally does not satisfy the HIPAA risk analysis obligations, because it typically does not demonstrate an accurate and thorough analysis of the risks, threats, and vulnerabilities to all of the ePHI an entity creates, receives, maintains, or transmits (See 45 C.F.R. §164.308(a)(1)(ii)(A)).
Covered entities and business associates should understand the difference between a HIPAA risk analysis and a gap analysis. Only the HIPAA risk analysis complies with HIPAA standards and implementation specifications.