The HIPAA security rule asks covered entities (CE) to conduct a risk analysis under the security management plan. However, there is some confusion as to how often this analysis should be accomplished and to what level.  For the purposes of this article, lets stipulate that the term risk assessment means the same as risk analysis since the two terms are often interchanged.

Per the HHS website, the security rule does not specify how frequently to perform the risk analysis a part of a comprehensive risk management process.  The Security Management Process standard in the Security Rule requires organizations to implement policies and procedures to prevent, detect, contain, and correct security violations.  Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.

Section 164.308(a)(1)(ii)(A) of the security rule reads:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

How often you perform the risk analysis will be based on the circumstances of the organization.  Some conduct it annually, while others wait two or three years.  Yet, others conduct a “review only” each and every year.  Again, this is up to your organization and its current circumstances such as a stable infrastructure, no serious security incidents, and level of risks, etc.  In addition to conducting the risk analysis for the security rule, you also must conduct it when meeting the Meaningful Use program.

There are some myths that persist many years after implementation of the security rule in April 2005 as well as for the Meaningful Use Program.  Let’s look at a few and determine the truth.

Myth:  Small practices do not have to be concerned with a risk analysis.

False:   Small practices were given an extra year to comply with the rule and needed to comply by April 2006.   Small practices must conduct an initial risk analysis and continuously monitor.  If you have not conducted a risk analysis by this point, this should become your top priority, as you are not in compliance with the Rule.


Myth:  The risk analysis needs only to be accomplished once.

False:   Although the security rule does not provide a frequency for how often it should be done, the Office of National Coordinator (ONC) recommends that it should be accomplished once a year or when changes to your practice or electronic systems occur.


Myth:  A checklist is good enough for a risk analysis.

False:   A checklist cannot provide a systematic security risk analysis.


Myth:  There is only one specific way to conduct a risk analysis.

False:   A risk analysis can be accomplished in many ways.  HHS does not prescribe a specific manner.  However, OCR has issued a Guidance on Risk Analysis Requirements of the Security Rule which provides steps on how to conduct a thorough analysis. You can also look at NIST Publication 800-30, Guide for Conducting Risk Assessment.


Myth:  Simply by installing a certified EHR/EMR, a practice is meeting the risk analysis requirement.

False:  Even if you install a certified EHR/EMR, you must accomplish a risk analysis to address all electronic protected health information, not just that which is in your EHR/EMR.


Myth:  My EHR/EMR vendor took care of all my privacy and security.

False:  Your vendor is only responsible for installing your electronic records system and will provide information about the security aspects of the product.  You are still responsible for conducting a risk analysis.


Myth:  Each year you have to redo your risk analysis for Meaningful Use.

False:  You must perform a risk analysis initially for Meaningful Use.  Afterwards, you may conduct a review during the reporting period.