What Constitutes a Legitimate HIPAA Risk Analysis

How to Conduct a Bona Fide HIPAA Risk Analysis

Bob Chaput, CISSP
President Clearwater Compliance
LinkedIn Profile

In Chapter 3 of the relatively new National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-30, a description for the process of assessing information for security risk is provided.

There’s a fair amount of confusion about what constitutes a legitimate HIPAA risk analysis. The NIST Risk Analysis process is illustrated below:

A bona fide HHS/OCR Risk Analysis is NOT:

  • A network vulnerability scan
  • A penetration test
  • A social engineering test
  • A configuration audit
  • A network diagram review
  • A questionnaire
  • Information system activity review

Although all of the items above have a place and use in managing information security, they do not, alone, constitute a legitimate HIPAA risk analysis. Sadly, some organizations have been led to believe otherwise and have completed their initial Meaningful Use attestations based on “bad advice”.

The HHS / OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” relies on the NIST Security framework and specifically NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT. According to both documents and NIST SP800-30:

“A Risk Analysis is the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. “

Bottom Line: if you have not or are not embracing a robust methodology that follows HHS/OCR and NIST guidance, you may be in big trouble with both OCR (Security, Privacy and Breach Rule enforcers) and CMS which operates the Meaningful Use EHR Incentive Program and will perform audits on attestations.

Bob Chaput, CISSP, is a leading HIPAA-HITECH compliance expert. He blogs regularly on the topic where this post originally appeared. His company, Clearwater Compliance, offers Continuing Professional Education Credits for participation in their Clearwater HIPAA Audit Prep BootCamp™. You can download a PDF for more information.