From HIPAA Safe Issue 15
We wrote about how to perform a risk analysis (i.e. a risk assessment) in Issue 14. The 2016 Office of Civil Rights (OCR) Audit Protocol clarifies the Security Rule citation and confirms an expectation for:
a defined scope
details of identified threats and vulnerabilities
an impact and likelihood analysis, and
a risk rating.
The following examples may help improve security and validate a HIPAA Security program, but lack the measures to be considered a bona-fide risk analysis:
a HIPAA Security Rule compliance evaluation using the 2016 OCR Audit Protocol
an assessment of information services or technology security controls, even when mapped
from a reputable security controls source (e.g. NIST, SANS, etc.) to the Security Rule. This type for work does support §164.308(a)(8), “Evaluation”
completing a checklist. Risk is not “checked”, but calculated.
There are plenty of very thorough information security companies, but we recommend that Covered Entities (CE) and Business Associates (BA) seek a HIPAA dedicated company to help with at least one risk analysis. Understanding what a risk analysis is and is not helps verify a compliant risk analysis project.