Search

Risk Analysis Pitfalls

From HIPAA Safe Issue 15


We wrote about how to perform a risk analysis (i.e. a risk assessment) in Issue 14. The 2016 Office of Civil Rights (OCR) Audit Protocol clarifies the Security Rule citation and confirms an expectation for:

  • a defined scope

  • details of identified threats and vulnerabilities

  • an impact and likelihood analysis, and

  • a risk rating.

The following examples may help improve security and validate a HIPAA Security program, but lack the measures to be considered a bona-fide risk analysis:

  • a HIPAA Security Rule compliance evaluation using the 2016 OCR Audit Protocol

  • an assessment of information services or technology security controls, even when mapped

  • from a reputable security controls source (e.g. NIST, SANS, etc.) to the Security Rule. This type for work does support §164.308(a)(8), “Evaluation”

  • completing a checklist. Risk is not “checked”, but calculated.


There are plenty of very thorough information security companies, but we recommend that Covered Entities (CE) and Business Associates (BA) seek a HIPAA dedicated company to help with at least one risk analysis. Understanding what a risk analysis is and is not helps verify a compliant risk analysis project.




2 views

Experience                   Integrity                        Results

Proteus Consulting, LLC

Hayden, ID, 83835

(208) 215.5607

Copyright © 2013 - 2020 Proteus Consulting, LLC