A security risk analysis is a vital part of the risk management process. According to the HIPAA Security Rule, all HIPAA-covered organizations must conduct them. This analysis helps your organization prevent, detect, contain, and correct security violations.
However, the rule itself is rather broad:
RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. -- Section 164.308(a)(1)(ii)(A)
Because the rule is broad, there is a lot of room for misunderstanding. Let’s address some common misconceptions about risk analyses.
Small practices do not have to do a risk analysis.
False. Small practices have needed to follow this rule since 2006. Small practices must do an initial analysis and continually monitor security at their organization. If you are a small practice and haven’t conducted a risk analysis by this point, this should be your top priority.
I only need to conduct a risk analysis once.
Not true. HIPAA does not specify how often you should conduct an analysis. This depends on your organization’s circumstances. Some do them every year, while others wait two or three years. However, the Office of National Coordinator recommends once a year or as needed. For example, conduct risk analyses after your organization goes through a big change, as changes can introduce new vulnerabilities.
There is only one way to conduct an analysis.
There are many ways you can approach it. Health and Human Services Office for Civil Rights provides guidance on meeting the risk analysis requirement. The NIST Publication 800-30 is another useful guide.
My practice meets the requirement by installing a certified EHR/EMR.
This is a common mistake! You need to take all electronic protected health information into account, not just what’s in your electronic health record (EHR) or electronic medical record (EMR). EHR/EMR vendors are only responsible for the security of their own systems. They can’t help with security risks elsewhere.
The goal of risk analysis is to detect threats and vulnerabilities at your organization. Once you’ve completed it, you must put policies and procedures in place to improve security.