top of page

Risk Analysis Pitfalls

From HIPAA Safe Issue 15

We wrote about how to perform a risk analysis (i.e. a risk assessment) in Issue 14. The 2016 Office of Civil Rights (OCR) Audit Protocol clarifies the Security Rule citation and confirms an expectation for:

  • a defined scope

  • details of identified threats and vulnerabilities

  • an impact and likelihood analysis, and

  • a risk rating.

The following examples may help improve security and validate a HIPAA Security program, but lack the measures to be considered a bona-fide risk analysis:

  • a HIPAA Security Rule compliance evaluation using the 2016 OCR Audit Protocol

  • an assessment of information services or technology security controls, even when mapped

  • from a reputable security controls source (e.g. NIST, SANS, etc.) to the Security Rule. This type for work does support §164.308(a)(8), “Evaluation”

  • completing a checklist. Risk is not “checked”, but calculated.

There are plenty of very thorough information security companies, but we recommend that Covered Entities (CE) and Business Associates (BA) seek a HIPAA dedicated company to help with at least one risk analysis. Understanding what a risk analysis is and is not helps verify a compliant risk analysis project.

6 views0 comments


bottom of page