BLOG

We hear the terms risk assessment, risk analysis, and evaluation used routinely in healthcare settings, often in the context of HIPAA compliance.

The big question: is there a material difference between these terms from a HIPAA regulatory perspective?

Answering this question correctly is critical to maintaining HIPAA compliance and staying out of hot water with regulators. Many organizations that have misunderstood and misapplied these terms have ended up facing multi-million-dollar settlements with the Office for Civil Rights (OCR) for failure to comply with the HIPAA Security Rule.

This blog post provides guidance on how to interpret the terms risk analysis, risk assessment, and evaluation as they are defined in the HIPAA Security Rule and related guidance from HHS and OCR.

Additional information is also available in our companion blog: Healthcare Security Risk Assessment & HIPAA Security Risk Analysis FAQs.

What is a HIPAA risk analysis?

Risk analysis is one of four required implementation specifications in the Security Management Process section of the HIPAA Security Rule. The rule requires covered entities to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

The Security Rule does not prescribe any specific methodology for conducting a risk analysis, but HHS has issued guidance that provides definitions and refers to applicable standards such as NIST 800-66 and NIST 800-30.[2] Additional guidance is provided further along in this blog for what constitutes an acceptable risk analysis that would satisfy this HIPAA Security Rule provision.

Is risk assessment the same as risk analysis?

Yes. The terms security risk assessment and HIPAA security risk analysis are synonymous. The term HIPAA security risk analysis derives from the HIPAA Security Rule and generally refers to the provision in the Risk Analysis Implementation Specification of the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)).

Risk assessment is the term most commonly used by cybersecurity and risk management professionals to describe the process of identifying enterprise cyber risks.

There is no material distinction between conducting a risk analysis or risk assessment from a HIPAA perspective. The risk analysis provision of the HIPAA Security Rule actually includes the term assessment in the implementation specification statement: “…[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities…”.

What is a security risk assessment?

According to the National Institute of Standards and Technology (NIST) Special Publication 800-39, a security risk assessment is “the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.”[3]

In the context of the healthcare industry, a security risk assessment typically refers to an enterprise-wide assessment of the potential threats to sensitive information and systems including PHI. A healthcare security risk assessment includes an evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive information and systems. A security risk assessment also assesses an organization’s capabilities for preventing, detecting, and responding to cyberattacks.

Based on Meditology’s experience having conducting hundreds of healthcare security risk assessment engagements, a security risk assessment should address the following considerations at a minimum:

1. Sensitive information discovery: where is our patient information and other sensitive information (e.g. PHI, credit card data, intellectual property, financial information)?
2. Threats actors: who are the bad guys and how likely are they to interact with our environment?
3. Threat vectors: what are the bad things that can happen and how likely are they to occur?
4. Vulnerabilities: how exposed are we and what weaknesses or security holes exist in our environment?
5. Impact analysis: if we have a bad day, how bad of a day will it be?
6. Risk determination: what are the most pressing areas we need to address?
7. Corrective action planning: how do we fix what we found?

Refer to the following related resources for more information on each of these areas:

• Blog Post: HIPAA Security Risk Analysis Fundamentals: Industry Tested, OCR Approved
• Webinar Replay: HIPAA Risk Analysis Fundamentals: Industry Tested, OCR Approved

Is HIPAA Security Risk Analysis the same as HIPAA Security Risk Management as defined in the HIPAA Security Rule?

No. HIPAA Security Risk Analysis is one of the components of the HIPAA Security Risk Management process (defined earlier in this blog). The HIPAA Security Risk Management process typically begins with one or more security risk assessments.

More specifically, risk management is a foundational provision of the Security Management section of the Security Rule. The provision requires covered entities to “[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [(the General Requirements of the Security Rule)].”

Risk management activities should include the development of a risk management plan and supporting procedures that are informed by the risk analysis. A risk management plan defines how risk is managed for the covered entity, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and the workforce members’ roles in risk management processes. The security risk management plan should also include considerations for categorizing information systems based on criticality, selecting which security standards and controls will be applied, processes for implementing the plan, requirements for conducting ongoing risk analyses, business communication and approval processes for identified risks, and the ongoing tracking and monitoring of risks and associated corrective actions.

The results of a healthcare entity’s security risk analysis and security risk management processes serve as the starting point for the selection and implementation of organizational initiatives to protect patient information. Decisions for prioritizing and investing in security protections should be initially focused on the highest risk areas identified through risk management processes. Once critical and high-risk areas are addressed, more moderate risk areas should then be targeted for mitigation.

Financial and human capital resources for healthcare entities are finite. Healthcare providers must balance investments in security and compliance with competing priorities for resources and funding required to support the core business including investments in medical devices and innovative technology, physicians, nurses, technology, facilities, and more.

Is a HIPAA Security Rule evaluation the same as a risk analysis or risk assessment?

No. The HIPAA Security Rule has a separate provision for “evaluation”. The intent of this requirement is for covered entities and business associates to routinely review their organization’s compliance with the HIPAA Security Rule. This is commonly referred to in the industry as a HIPAA “gap analysis”.

A HIPAA Security Rule “gap analysis” evaluates the organization’s compliance with specific provisions of the regulation. A gap analysis is separate and distinct from the HIPAA risk analysis requirement as defined in the rule (45 C.F.R. § 164.308(a)(1)(ii)(A)) and as outlined earlier in this blog.

The specific provision related to evaluation is 45 C.F.R. § 164.308(a)(8) “Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.”

Conducting a HIPAA Security Rule evaluation, or gap analysis for compliance with the Security Rule, will not satisfy the separate risk analysis requirement.

What industry resources are available to find out more about healthcare security risk assessment and HIPAA security risk analysis requirements?

OCR, CMS, and HIPAA.

To help guide regulated entities to comply with security risk assessment requirements, HHS, Office for Civil Rights (OCR), and the Centers for Medicare and Medicaid Services (CMS) have published a wide range of guidance and reference material since the introduction of the HIPAA Security Rule in 2003.

Guidance for conducting risk analyses and developing risk management programs, evaluating addressable standards, and other HIPAA compliance topics has been consistently published since the introduction of the HIPAA Security Rule. Guidance has included online resources such as frequently asked questions (FAQs), in person trainings and seminars, conference presentations, workshops, and other events and publications. HHS, OCR, and CMS have also directed regulated entities to resources related to other security standards and regulations including National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Some examples:

• HHS Guidance on Security Risk Analysis
• HHS HIPAA Security Rule Guidance Materials
• CMS Security Risk Analysis Tip Sheet
• HHS Office of the National Coordinator Security Risk Assessment Tool

NIST also recently released a fairly comprehensive set of guidance for the healthcare industry, which Meditology summarized in our related blog: New NIST Guidance on Compliance with the HIPAA Security Rule.

Contact our team here at Meditology to learn more about healthcare security risk assessment services and advisory capabilities. We are glad to answer any questions you have about security risk assessments, HIPAA compliance, or other cybersecurity and privacy matters.