Risk Analysis Pitfalls

From HIPAA Safe Issue 15

We wrote about how to perform a risk analysis (i.e. a risk assessment) in Issue 14. The 2016 Office of Civil Rights (OCR) Audit Protocol clarifies the Security Rule citation and confirms an expectation for:

• a defined scope

• details of identified threats and vulnerabilities

• an impact and likelihood analysis, and

• a risk rating.

The following examples may help improve security and validate a HIPAA Security program, but lack the measures to be considered a bona-fide risk analysis:

• a HIPAA Security Rule compliance evaluation using the 2016 OCR Audit Protocol

• an assessment of information services or technology security controls, even when mapped

• from a reputable security controls source (e.g. NIST, SANS, etc.) to the Security Rule. This type for work does support §164.308(a)(8), “Evaluation”

• completing a checklist. Risk is not “checked”, but calculated.

There are plenty of very thorough information security companies, but we recommend that Covered Entities (CE) and Business Associates (BA) seek a HIPAA dedicated company to help with at least one risk analysis. Understanding what a risk analysis is and is not helps verify a compliant risk analysis project.