The most recent resolution agreement from HHS highlights, yet again, the need for excellent documentation and follow through on a genuine risk analysis. In case you haven't noticed, or haven't been reading the resolution agreements, HHS/OCR is making a point in almost every one of these reports: PERFORM YOUR RISK ANALYSIS (and follow through with addressing your risks). 

Here's an excerpt from the opening of the resolution agreement involving the University of Washington Medicine:

"UW Medicine failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically it has failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.308(a)(1)(i))." [emphasis mine]

But it needs to be a real risk analysis. Not some half-hearted effort, but a genuine analysis of your environment that starts with a discovery of everywhere ePHI may live or move in your organization and an inventory of the assets that use, store or transmit ePHI. Folks, it's not that hard, but it does take an intentional effort and some time and resources. Once you know where all of your ePHI is located, then you can begin to take each ePHI scenario and inspect the things that make it vulnerable and the threats (human, environmental, and natural) that could take advantage of those vulnerabilities. Then, it's just a matter of determining the likelihood that each risk would actually happen and what the impact would be if it did. If you're using the NIST model for risk analysis (see NIST 800-30), then this culminates in a simple rating matrix. Of course, you want to preserve notes on how you decided on each rating. Voila! Now you have a risk analysis report.

That's a great start, but you're not done. You've only identified the risks that threaten your ePHI. Now, you must move into risk management and develop a plan to address each one. That doesn't mean you have to mitigate every risk on your report in the next week, but you need to have a plan and a schedule for getting to each one in a reasonable amount of time.

Linda Sanches from the Office of Civil Rights said, "It's not about if you will have a breach, it's when.  [Our] Enforcement is not about breaches, it's about whether or not you've done what you should have done to prevent it or mitigate the likelihood and impact in case it did." She's talking about using the risk analysis to figure out how your ePHI is at risk and using a risk management process to address each risk in a way that either eliminates the risk, or reduces the likelihood or impact to a level low enough that it is acceptable.

Performing a risk analysis, following up with risk management, having the documentation to prove your due diligence, and reviewing your risks periodically is paramount to having sincere Security Rule compliance. If you haven't performed a real risk analysis, put it at the top of your priority list. If you need help, get help, but do it. Soon.

If you would like to read the resolution agreement and corrective action plan for the University of Washington Medicine, you can download it here: UW Medicine RA & CAP