HIPAA Risk Analysis Tip – 9 Essential Elements of OCR-quality Risk Analysis – a Quick Tutorial
People like steps-- steps to take in a process. It’s like instructions: do this, then do this, then do this… there’s order and a sense of comfort in following a clearly articulated plan. That’s what this blog is hoping to achieve, to take the mystery out of risk analysis and risk management. Some folks, thinking that an external partner will know better than their internal team, pay for a process they are later to find out is “limited”, “inaccurate”, “not comprehensive”, or conducted in a “patchwork fashion” (in the words of OCR).
The OCR-issued "Guidance on Risk Analysis Requirements under the HIPAA Security Rule" cites nine essential elements of an accurate and complete risk analysis. These nine essential elements parallel the risk analysis process outlined in NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments. Together, they represent a methodology for achieving success, not only in the event of an OCR investigation, but more importantly in the protection of ePHI and in the assurance of patient safety. The nine essential elements are:
- Understand the Scope of the Analysis: A risk analysis involves identifying all the potential risks and vulnerabilities to the confidentiality, integrity and availability (“C-I-A”) of ALL PHI that your organization creates receives, maintains or transmits. Although the requirement in the Security Rule is focused on ePHI, eleven (11) or 20% of the 50 settlement agreements resulted from breaches of non-electronic PHI, paper, video and voice recordings. They need to be protected too.
- Undertake Data Collection: Document all the assets where PHI is created, received, maintained or transmitted. For PHI, this can include file cabinets, storage rooms, fax machines and copiers, and business associates. For ePHI, this can include electronic equipment, media, data systems and applications controlled, administered, owned or shared by your organization, your affiliates and your business associates … in all facilities, whether owned or rented, and at all health care components.
- Identify and Document Potential Threats and Vulnerabilities: This can be the heavy lifting in this process. Each asset-threat-vulnerability triple needs to be risk-analyzed. See our earlier "HIPAA Risk Analysis Tip – What Level of Detail is Adequate?" for details of potential threats and vulnerabilities to be considered.
- Assess Current Security Measures: Once each asset-threat-vulnerability triple has been identified and documented, assess what security measures are in place to mitigate the exploitation of that vulnerability by that threat. Understanding the current controls in place will inform the next step: determining the likelihood of that threat exploiting that vulnerability.
- Determine the Likelihood of Threat Occurrence: Determining the likelihood of exploitation is a qualitative process which can be informed using statistics from the causes of reported breaches, complaints and OCR settlement agreements. One of the more powerful sources of likelihood includes your own incident history.
- Determine the Potential Impact of Threat Occurrence: Determining the potential impact of a threat exploiting a vulnerability should include consideration of financial, legal, operational, clinical and regulatory costs. This financial evaluation can be facilitated by using the model described in "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security".
- Determine the Level of Risk: Once the likelihood and impact have been calculated for an asset-threat-vulnerability triple, the level of risk can be determined. Using a 1-5 scale for likelihood and the same for impact, the level of risk can be calculated by multiplying the two factors. Risk calculated with a likelihood of 5 (high ) and an impact of 5 (high) would have a risk level of 25, and would be considered a critical risk. The leadership of your organization will need to determine their “risk appetite” so that risks with a value calculated above a certain level, for example, 15 (3*5 or 4*4 or 4*5) would need to be treated (typically avoided, mitigated or transferred). Risks with a value below the risk appetite would typically be accepted.
- Finalize Documentation: As suggested above, rreatment of risks can include accept, avoid, mitigate or transfer. The executive team must be involved in the decisions related to risk treatment. All steps in this process need to be documented for communication to the organization, as well as evidence of practice should that be needed
- Risk Management - Conduct Periodic Review and Updates to the Risk Assessment: This risk analysis and risk treatment process is not once and done. The risk management plan must include review of progress made on approved remediation activities and testing of controls to assure their effectiveness, in addition to performing on-going risk analysis periodically and whenever there are operational, technological or environmental changes.
OCR's "standard of care" in performing an accurate and complete risk analysis and risk management is increasing. It includes these nine essential elements. following is the text from a recent OCR follow up letter to an organization:
"OCR has determined that the risk analysis submitted by your organization as part of its recent response does not meet the requirement set forth at 45 CFR § 164.308(a)(1)(ii)(A). Please review OCR’s guidance on the Security Rule’s risk analysis requirement located at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html.
For additional information, you may also wish to consult the National Institute of Standards and Technology’s SP 800-30 Rev. 1 “Guide for Conducting Risk Assessments”.
So, embrace the 9 essential elements; do it right – it will cost less in the end and you will sleep better at night.
- Attend our May 3rd "Conversation with Former OCR Director Leon Rodriguez: What OCR Expects in Your HIPAA Risk Analysis" Learn how to conduct an OCR-quality risk analysis and what to expect from the new administration on HIPAA, among many other things. You may learn more and register here: http://bit.ly/ClearwaterLeonRodriguez
- Download the OCR-issued "Guidance on Risk Analysis Requirements under the HIPAA Security Rule".
- Learn the definition of an information asset.
- View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
- Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
- Read the OCR Resolution Agreements / Corrective Action Plans, especially the 39 involving ePHI where 35 organizations had adverse findings for incomplete and/or inaccurate HIPAA Risk Analysis and HIPAA Risk Management work.