Risk Analysis vs. Risk Assessment

MattFisherUnder HIPAA There is a Difference

By Matthew Fisher
Twitter: @matt_r_fisher

In discussions about HIPAA and risk determinations, the phrases “risk analysis” and “risk assessment” are occasionally used interchangeably. However, under HIPAA there is a difference between these phrases. Like many things under HIPAA, each phrase has its own special meaning and care should be taken when using or referring to obligations. Each refers to a different requirement for covered entities and business associates under HIPAA.

The confusion that these phrases can generate is pervasive among those who deal with HIPAA. The difference was actually the subject of a discussion on a health lawyer listserv that I subscribe to. The fact that lawyers who focus their practices on HIPAA felt the need to debate the difference highlights the lack of clarity in addition to the importance and need to careful consider the differences.

Under the HIPAA Security Rule, a “risk analysis” requires entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” 45 CFR § 164.308(a)(1)(ii)(A). The risk analysis is a required element for entities to perform in complying with HIPAA. As the definition of the risk analysis sets forth, the goal is to identify vulnerabilities and weaknesses in an entity’s systems. This in turn will help guide the development of the entity’s security policies and procedures, which is the next step in complying with the requirements of the HIPAA Security Rule. Accordingly, a risk analysis is part of the compliance process.

By contrast, “risk assessment” shows up in the HIPAA regulations under the definition of “breach” in the Breach Notification Rule. 45 CFR § 164.402. More specifically, a risk assessment is what an entity must conduct in order to determine whether there is a low probability that protected health information has been compromised, which informs whether the breach notification requirements will come into play. As set forth in the definition of a breach, a risk assessment consists of, at least, the following four elements: (i) the nature and extent of protected health information involved, (ii) the identity of the unauthorized person that accessed the protected health information, (iii) whether the protected health information was actually acquired and/or viewed, and (iv) the extent to which the risk to the protected health information has been mitigated.

As the regulatory definitions show, both the requirements and context of a risk analysis and a risk assessment differ. A risk analysis is an essential first and ongoing step in setting an entity’s security policies, whereas a risk assessment is conducted to determine whether a breach of protected health information will be subject to reporting requirements.

Highlighting the potential for confusion between the two phrases is the name given to a recent security tool released by the Office of Civil Rights and Office of the National Coordinator for Health Information Technology, both within the Department of Health and Human Services. The tool is called a “Security Risk Assessment Tool.” However, it is designed to conduct a review of an entity’s operation for purposes of complying with HIPAA’s administrative, physician and technical safeguards, i.e. the Security Rule. Based upon the definitions set forth above, the tool is really a Risk Analysis Tool. This confusion of terms is unfortunate because it is the federal government driving the confusion.

With regard to the tool, entities should be careful when using it. A disclaimer contained on the website where it can be downloaded says it all. The disclaimer states that the tool is for informational purposes only and does not guarantee compliance with federal, state or local laws. As such, a good follow up question is what value does the tool provide? The tool can help an entity in getting an understanding of what it should be doing to comply with the HIPAA Security Rule. However, the tool really should not be relied upon without further guidance and advice. Every entity is well advised to seek outside assistance to fully understand its HIPAA obligations, develop appropriate policies and assess compliance.

Where terms of art are created, they should be followed. Failure to consider the meaning attached to terms of art can easily lead to non-compliance or causing confusion. From a legal perspective, if a term of art is established, then the meaning and requirements associated with that term will be raised, even if the context is not right. Therefore, in the HIPAA context, carefully consider what needs to be done when stating whether a “risk analysis” or “risk assessment” is what needs to occur. One goes to an overarching review of an entity whereas the other is done in response to a suspected breach.

About the author:  Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA.  Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.