HIPAA Q&A on Risk Analysis

By Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions
Twitter: @HIPAASolutions
LinkedIn: Our HIPAA Chat Group
Host of HIPAA ChatJoin us on the next broadcast.

Performing a risk analysis is the cornerstone of HIPAA compliance, so it’s important to understand the regulations that require risk analysis, as well as how to conform to these rules. This week’s Q&A with Steve Spearman, security expert and CEO at Health Security Solutions, focuses on understanding the essentials of risk analysis. Read on to learn more about security risk analysis requirements and guidelines on how to make informed decisions about your organization’s risk analysis policies.

Q: What is a Risk Analysis?
A: A risk analysis is a methodical, proactive process of identifying risks to the confidentiality, integrity, and availability of an organization’s electronic protected health information (ePHI), network, and IT assets. It is the very first HIPAA Security safeguard under the HIPAA Security Management Process Standard. It is also a requirement of Meaningful Use.

Q: What is the deadline for conducting your 2015 Risk Analysis?
A: The short answer is December 31, 2015.

Unfortunately, there’s been a lot of confusion about this. Initially, the rulemaking and guidance from the Office of the National Coordinator (ONC) made it clear that the risk analysis had to be conducted prior to the end of a covered entity’s Meaningful Use reporting period. However, updated guidance from CMS, as well as the moving target of current rulemaking has complicated the question. Last year, CMS (in this FAQ) indicated that the risk analysis can be done prior to attesting or during the calendar year of the reporting period, whichever comes first.

Although, it is likely that when the rulemaking becomes law in August, CMS will allow a 90-day reporting period in 2015. However, CMS will not open up its attestation portal for 2015 until January 2016. So based on the formula above, the risk assessment must be completed by December 31, 2015.

Q: How often should I get a risk analysis?
A: HIPAA doesn’t specify how often you should perform a risk analysis, but Meaningful Use does. Meaningful Use requires covered entities to either conduct a risk analysis or conduct a review of their most recent risk analysis every year during the reporting period.

Most information security experts would say that best practice is to conduct a risk analysis every year. This is true even if an organization is not involved with Meaningful Use. An organization should also do a risk analysis if it goes through a significant operational change, such as moving to a new building or adopting a new electronic health record.

We recommend that organizations adopt policies that require a full risk analysis at a minimum of every three years with reviews in the intervening years, unless there’s a significant change in operations.

Q: What is the difference between a review and a full risk analysis?
A: A review is iterative. A review requires the assessor to document updates and changes that have occurred since the last risk analysis. This should include documenting security incidents, updates to policies, changes in IT asset inventory, and other operational changes. The review should then record working controls and recommend new controls and measures that should be considered to address current security issues.

Q: Is there a difference between a Meaningful Use Risk Analysis and a HIPAA Risk Analysis?
A: In the past, I always said “NO” to this question. However, the current rulemaking (likely to soon become law) will somewhat narrow the scope of the risk analysis requirement for meaningful use purposes. Specifically, it would allow a covered entity to restrict the scope of its “Meaningful Use risk analysis” to its electronic health record and supporting assets.

However, I am concerned about this change. HIPAA requires entities to assess the risks associated with all their assets. For minimal extra effort, providers and hospitals can conduct a risk analysis that will meet the requirements of both HIPAA and Meaningful Use. This is what providers should do.

Q: What is the relationship between the HIPAA Evaluation Standard and Risk Analysis?
A: The relationship is simple. HIPAA’s evaluation standard requires covered entities to understand and document the risks associated with operational decisions and changes. Risk analysis is the most important tool that entities have for evaluating those changes.

Q: Can I do an in-house risk analysis or do I have to hire a third party?
A: A covered entity can conduct its own risk analysis. However, the risk analysis has to be thorough enough to pass an audit, and many covered entities and physicians don’t have the resources, time, or expertise to conduct a risk analysis that would pass muster. If organizations wish to conduct their own risk analysis, they should commit to the resources needed to develop in-house expertise and to acquiring the tools needed to perform the risk analysis.

Q: How do I conduct a risk analysis?
A: There is no one right way to do a risk analysis, but it is a good idea to follow accepted standards and best practices related to conducting a risk analysis. The most common reference is NIST Special Publication 800-30, a Guide for Conducting Risk Assessment.

Broadly speaking, a covered entity needs to identify the assets it uses to process, transmit, store, and manage ePHI. They should also categorize those assets according to risk and document the controls currently in place to protect those assets, controls that are absent, and those that need to be added in order to secure ePHI to a reasonable level.

Q: What are some common pitfalls of conducting a risk analysis?
A: There are a number that people should watch out for. For example, a person or a covered entity using nothing but a checklist to run a risk analysis may run into some trouble. Many risk analysis experts, including me, use checklists in our practices, but on their own, checklists cannot sufficiently identify risks to the degree that regulations require. For example, most checklists are regulation and policy-focused. So a checklist asking you to confirm the presence of a policy required by a regulation is useful for determining compliance risk. However, a checklist will not tell you whether an exploit exists on a particular machine that could jeopardize the security of ePHI.

Another common pitfall would be failing to perform an inventory. Any risk analysis method that does not include an IT asset inventory is likely flawed and insufficient. Covered entities need to identify and know the risks of the assets they use to store and transmit ePHI.

A security risk analysis burdens organizations with knowing the risks and threats to ePHI, not just checking off regulatory requirements and policies. A covered entity must have a risk analysis policy and procedure in place that will properly identify risks and threats to ePHI.

Q: Are there any tools to help entities perform their own risk analyses? Do you recommend any of them?
A: There are some tools, but I have concerns about their efficacy. Two tools that I do not recommend are HHS’ Risk Analysis Toolkit and the NIST HIPAA Security Rule Toolkit. I have said in previous posts that these tools both do too much and do too little. Both of these toolkits do “too much” because they’re tied to the NIST framework, which includes regulations that are not binding on most healthcare organizations. They do “too little”, particularly the HHS tool, because they do a poor job of identifying risks as required by HIPAA regulations. My main complaint about the NIST tool is that it is very difficult to use. It is extremely redundant and requires more expertise than most covered entities will have at their disposal. In this tool, there are two assessment modes: enterprise and standard. The standard mode has almost 500 questions, and the enterprise version more than 900 questions. The NIST tool might be useful in the hands of an expert, but no expert I know actually uses it.

The two self assessment tools that I will sometimes recommend are the HIMSS Risk Analysis Toolkit and the National Learning Consortium’s Risk Analysis. Generally though, I recommend that organizations either develop in-house expertise and resources or hire a vendor with risk analysis expertise, such as that provided by Health Security Solutions.

PLEASE NOTE: For Health Security Solutions, the last quarter of every year tends to get booked quickly because providers and hospitals wait until the last minute to conduct their risk analysis. Because of the December 31st deadline mentioned above, we expect the same pattern to repeat in 2015. If you are at all interested in having Health Security Solutions help you with your risk analysis, please contact us as soon as possible.

Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, HealthcareNOWradio.com. Learn more about HIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.