HIPAA Security Rule - OCR Final Guidance on Risk Analysis

July 15, 2010

The HIPAA Security Rule requires certain organizations to implement policies and procedures to prevent, detect, contain, and correct violations of protected health information ("PHI").  Conducting a risk analysis is the first step required in this process.  On July 14, the Office for Civil Rights released final guidance regarding the procedure by which an organization conducts risk analysis.  Although the guidance drew heavily upon the earlier CMS publication titled HIPAA Security Series and publications from the National Institute of Standards and Technology, the guidance "explains several elements a risk analysis must incorporate."  The following summarizes the required elements that a risk analysis must include.

The main impact of this new guidance is to impose substantial advance planning and evaluation requirements on organizations dealing with e-PHI.

Required Elements in a Risk Analysis

1.  Scope. The scope of the risk analysis must encompass the potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that is created, maintained, transmitted or received electronically ("e-PHI").

2.  Data Collection.  An organization must identify and document where all e-PHI is stored, received, maintained or transmitted. 

3.  Identify Potential Threats and Vulnerabilities.  An organization must identify and document all reasonably anticipated threats to e-PHI as well as any potential vulnerability which, if exploited or triggered, would create a risk to e-PHI.

4.  Assess Current Security Measures. An organization must assess and document the current security measures used to safeguard e-PHI and if such measures are properly configured and used.

5.  Determine the Likelihood of Threats.  The analysis must consider the probability of potential risks (the likelihood a particular threat will exploit a given vulnerability) to e-PHI to determine which threats are "reasonably anticipated," and therefore, required to be protected against.  An organization must document these results.

6.  Determine the Potential Impact of Threats.  The analysis must consider the impact of potential risks by assessing the magnitude of the potential impact that could result from a threat exploiting a given vulnerability.  An organization must document these results.

7.  Determine the Level of Risk.  An organization must assign and document the level of risk each identified threat and vulnerability combination pose to the organization's security.

8.  Documentation and Periodic Review.  An organization must document its risk analysis process and conduct further analysis periodically and upon certain changes to the organization's status quo (e.g., experiencing a security incident, change in ownership, turnover of key staff, or the incorporation of new technology).

Although a risk analysis must incorporate the elements listed above, simply incorporating these elements, without more, does not guarantee compliance with the security rule's risk analysis requirement.  The final guidance should be used as a clarification of the expectations of the Department of Health and Human Services rather than a blueprint for compliance.

If you would like additional information regarding this Legal Update, please contact Chad N. Eckhardt at ceckhardt@fbtlaw.com, Billy J. Mabry at bmabry@fbtlaw.com, or any other attorney in Frost Brown Todd's Health Law Practice Group.