Risk Analysis - What It Is...And Is Not
Risk Analysis is required by the HIPAA Security Rule in the very first implementation specification of the first standard, 164.308(a)(1)(ii)(A). Risk Analysis is also required as a core objective when attesting for Meaningful Use Stage 1. Yet, about two-thirds of covered entities audited by OCR had not performed an adequate risk analysis, and so had not properly identified the threats and vulnerabilities in their environment and therefore were failing to adequately safeguard their ePHI. That's OCR's words and they are taking this very seriously.
You should as well. CMS and state Medicare offices are also aggressively performing MU audits on providers -- and risk analysis is one of their key targets. Some are being asked to to return some or all of the incentive dollars they received since they obviously did not legitimately meet all the requirements.
There remains a lot of misconceptions about just exactly what constitutes, in the eyes of HSS and OCR, a genuine and acceptable risk analysis. Well, maybe that's not the best way of looking at it. Wouldn't it be better to learn what a true risk analysis is, and then go about doing that? Sure, we need to satisfy HHS/OCR, but that should be a natural result of performing what actually amounts to a very smart business risk function. Right?
Right. So...just what is (and is not) a risk analysis (RA)? Well, it's not merely making sure you have a policy and/or procedure for every Security Rule citation (although that is important to do). Nor is it merely a penetration test of your network firewall (although that is important as well). It's also not a one-time event.
Risk Analysis is a process that involves events that result in information being gathered as input into your "analysis process". The analysis is ongoing in the sense that you will either be (1) analyzing and making decisions on past information, (2) receiving new information as things change in your environment, or (3) reviewing past information and decisions to ensure they are still relevant.
Download this free whitepaper where we explain in more detail what and true Risk Analysis is, who needs to be involved, how and where to start, how to keep it current, and what to do with it once you have it.
