HIPAA Risk Analysis – Basics

risk analysisWhat is Risk Assessment/Analysis? The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the HITECH Act, the Omnibus Rule, and the Affordable Care Act with its Meaningful Use requirements explicitly mandates covered entities and business associates to conduct a risk assessment. The function of the assessment is to ensure the organization (covered entity or business associate) is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where the organization’s protected health information (PHI) could be at risk. What’s in a HIPAA Risk Analysis? The Department of Health and Human Services does not specify any one particular order or format to cover for the risk analysis.  However, there are specific topics, identified in the HIPAA Security regulation, which must be addressed as part of this analysis.  Failure to address all of these topics may invalidate any risk analysis as the same may not be in compliance with the requirements of the regulation. What’s the importance of a HIPAA Risk Analysis? Since 2005 the HIPAA risk analysishas been the first requirement defined in the HIPAA Security Rule.  The idea is simple; how will you know what you need to do if you have not established a baseline?  The regulation actually requires that all applicable parties perform a HIPAA risk analysis every time there are changes in your environment.  Potentially this wording may be interpreted as a requirement to conduct risk analysis multiple times during the year.  Yet the overall industry guideline is that HIPAA risk analysis should be performed at least once per year. Additional support of the importance of the HIPAA risk analysis is that the same has been identified as one of Meaningful Use attestation COre Measure for every year in every program (Medicaid or Medicare). Also, recent HIPAA enforcement actions have cited a missing or old HIPAA Risk Analysis as the basis for HIPAA penalties and large fines (over $ 1 million). Recommendation Conduct a HIPAA Risk Analysis every year during that calendar year.  In other words, conduct a risk analysis prior to December 31st for that same year!!