HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”?

Home/Compliance and Information Risk Management Blog /HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”?

HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”?

HIPAA Risk Analysis

Short Answer: YES! 

As long ago as June of 2005, the Department of Health and Human Services (HHS) began publishing a series of seven security articles providing guidance on the “Security Standards for the Protection of Electronic Protected Health Information, commonly called the Security Rule.  Updated in March of 2007, the sixth in the series was entitled “Basics of Risk Analysis and Risk Management” and which outlined:


  • The relevant Security Rule implementations specifications for Risk Analysis and Risk Management,
  • The definitions involved in these activities, such as “threats,” “vulnerabilities” and “risk” and their relationships to each other, referencing NIST Special Publications (SP) 800-30 and
  • An example of process steps adapted from NIST SP800-30 which started with the scope of the analysis and the gathering of “data” before considering the threats and vulnerabilities

On July 14, 2010, OCR posted "Guidance on Risk Analysis Requirements under the HIPAA Security Rule" on their website, once again referencing NIST, this time SP800-66 and SP800-30, and suggesting that organizations consider the following questions:


  • Have you identified the e-PHI within your organization? This includes all e-PHI that you create, receive, maintain or transmit.
  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
  • What are the human, natural, and environmental threats to information systems that contain e-PHI?

Findings, reported by Linda Sanches, from the Phase 1 Audits of 2012 included that two thirds of entities had “no complete and accurate risk assessment.”  In April 2016, the audit procedures were considerably expanded in the Phase 2 Audits to include evidence that “all” systems that create, receive, transmit and maintain ePHI have been identified, along with the threats to, and vulnerabilities of, those assets. In addition, the auditors are to examine documentation of an assessment of security measures currently addressing those vulnerabilities, an impact and likelihood analysis and a resulting risk ranking…followed by risk remediation activities.


Despite specific guidance from OCR to start with the identification of assets containing PHI, and nagging organizations at conferences and other speaking opportunities, OCR findings in complaint and breach investigations continue to find that organizations are coming up short on risk analysis and risk management programs. Nine out of 10 organizations that have entered into a settlement agreement with OCR due to the compromise of electronic PHI have not started with the identification of “all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared that contain, store, transmit of receive PHI.”


Too often, their audit reports or initial investigation findings start with this:  "OCR has determined that the risk analysis submitted by your organization as part of its recent  response does not meet the requirement set forth at 45 CFR § 164.308(a)(1)(ii)(A).  Please review OCR’s guidance on the Security Rule’s risk analysis requirement located at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html


Now what?

  1. Download the OCR-issued "Guidance on Risk Analysis Requirements under the HIPAA Security Rule" .
  2. Follow the process!  There’s a reason.  The ePHI you create, receive, maintain or transmit  will be safer, your patients/members will continue to trust you, and you’ll sleep better at night that you’re doing the right thing.
  3. Attend our May 3rd "Conversation with Former OCR Director Leon Rodriguez: What OCR Expects in Your HIPAA Risk Analysis"  Learn how to conduct an OCR-quality risk analysis and what to expect from the new administration on HIPAA, among many other things. You may learn more and register here: http://bit.ly/ClearwaterLeonRodriguez
  4. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.

About the Author: Bob Chaput

Bob Chaput

Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.

Subscribe for News