HIPAA Compliance Assessment vs. Risk Analysis

HIPAA Compliance Assessment vs. HIPAA Risk Analysis

Bob Chaput
HIPAA-HITECH Data Security and Privacy Expert

The Compliance assessment? Risk Assessment? Risk Analysis? Compliance Analysis? Lots of confusion continues to swirl around the difference between a HIPAA Security Compliance Assessment versus HIPAA Security Risk Analysis.  No wonder, the terms are often used interchangeably.
So let’s end the confusion…
Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:
  1. Compliance Assessments answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”
  2. Risk Assessment (Analysis, in HIPAA parlance)  answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”
  3. Readiness Assessment answers questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.
We focus on the first two types of assessments in this post.
A thorough HIPAA Security Compliance Assessment broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312).  Additionally, this assessment would cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.  This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program or rejuvenating an existing program.  The output of the assessment establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.  Think FOREST view. At the end of such an assessment, one would have a Summary Compliance Indicator as illustrated below:
A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A))  is required by law to be performed by every Covered Entity and Business Associate.  Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use requirements.  Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
As required by the HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  This guidance was published on July 8, 2010.  No specific methodology was indicated.  However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.  We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.
So, when it comes to HIPAA Security Compliance Assessment, think:
  • Forest-level view
  • Overall compliance with the HIPAA Security Final Rule
  • Establishing baseline assessment for measuring progress
  • Asking: Have we documented appropriate policies and procedures, etc?
  • Asking: Are we performing against our policies and procedures?
When it comes to HIPAA Security Risk Analysis, think:
  • Trees/Weeds-level view of each information asset with PHI
  • Meeting a specific step in the overall compliance process
  • Understanding current safeguards and controls in place
  • Asking: What are our specific risks and exposures to information assets?
  • Asking: What do we need to do to mitigate these risks?
Both the HIPAA Security Compliance Assessment and the HIPAA Security Risk Analysis are important and necessary steps on the HIPAA HITECH Security compliance journey.
About Bob Chaput
Bob Chaput, MA, CHP, CHSS, MCSE is president of HIPAA HITECH Compliance Advisors and Data Mountain LLC. He is also a contributing expert for HITECH Answers. He speaks and writes extensively on HIPAA and HITECH security matters and is a recognized HIPAA-HITECH data security and privacy expert. He can be contacted at: Bob.Chaput@H3CA.com