HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be?
Short Answer: All information assets in all lines of business in all facilities and in all locations.
OCR just entered into its 50th Resolution Agreement / Corrective Action Plan with CardioNet, Inc., the 39th case involving ePHI and therefore requiring a risk analysis. CardioNet is the 35th organization cited for an inaccurate and and incomplete risk analysis. What seems to be the problem?
We now know that in order to conduct an OCR-quality risk analysis, we need to be talking “assets, threats and vulnerabilities”. See our recent post: Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? … but how do we know how comprehensive it needs to be?
Completing comprehensive, enterprise-wide risk analyses seems to be a problem for organizations:
- Jocelyn Samuels has commented, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise”
- And Deven McGraw stated, “time and again, we see that organizations are not doing risk assessments that are enterprise-wide and that take into account all of the ePHI that is in their environments…”
- And Leon Rodriquez recently concurred, "The question of [a weak or outdated] risk assessment has always been an issue from the very beginning of HIPAA enforcement - and it will continue to be one for the future.”
To understand how comprehensive the risk analysis is expected to be, we once again turn to the admonishments from OCR, consistently included in their press releases regarding investigation findings:
- “Triple S failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ePHI”
- “OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule.”
- “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure”
- "Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this (risk analysis) was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule."
The details of what assets OCR is looking for can be gleened from the associated Corrective Action Plans:
- This Risk Analysis shall incorporate … the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by Advocate or any Advocate Entity, that contain, store, transmit, or receive ePHI.
- TRIPLE-S shall conduct and complete an accurate, thorough, enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by TRIPLE-S or its affiliates that contain, store, transmit or receive TRIPLE-S ePHI.
- This Risk Analysis shall incorporate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by UMass or any UMass entity, that contain, store, transmit, or receive ePHI.
Ok, ok… we get the assets now… What facilities or locations are to be included?
- This Risk Analysis shall incorporate all UMass facilities, whether owned or rented, …that contain, store, transmit, or receive ePHI.
- This Risk Analysis shall incorporate all Advocate facilities, whether owned or rented, ….that contain, store, transmit, or receive ePHI.
- “UM shall draft an enterprise-wide risk analysis and corresponding risk management plan, that shall encompass all covered health care components …”
How comprehensive does the risk analysis need to be? Simple enough, all information assets in all lines of business in all facilities and in all locations. Information assets are systems, solutions, technology and devices that create, receive, transmit or maintain ePHI.
- Download the OCR-issued "Guidance on Risk Analysis Requirements under the HIPAA Security Rule" .
- Attend our May 3rd "Conversation with Former OCR Director Leon Rodriguez: What OCR Expects in Your HIPAA Risk Analysis" Learn how to conduct an OCR-quality risk analysis and what to expect from the new administration on HIPAA, among many other things. You may learn more and register here: http://bit.ly/ClearwaterLeonRodriguez
- Learn the definition of an information asset.
- Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.