Conducting a meaningful use security risk assessment has been a requirement for HIPAA Covered entities since 2005, and now their business associates must also comply. The Meaningful Use program (Stage 1) also includes the requirement:
“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process”
This is one of many objectives required in order for participating providers to earn significant incentive payments. Frequently, health care providers have some confusion about the terms analysis, assessment and audit – are these the same, or are they different?
Eagle uses the terms risk analysis and risk assessment interchangeably. Most commonly, this term is used in reference to the above requirement at 45 CFR 164.308(a)(1). There are different methodologies for a risk analysis/risk assessment – for example NIST SP 800-30, OCTAVE and FAIR. Any of these methodologies would be acceptable for fulfillment of this requirement. Other methodologies would also be acceptable in terms of HIPAA compliance. The end product is a written report that identifies risks (things that could go wrong), the probability that these risks could occur, the impact if they do occur and recommended steps for reducing or transferring the risk. While this process will inquire about controls in place (e.g. whether user access credentials are removed when an employee is terminated) it will not necessarily verify that this process was completed with 100% accuracy.
An audit, however is different. The process of an audit refers to an examination which verifies that controls are in place and properly implemented. In the case of HIPAA, the Office of Civil Rights has published a rigorous audit protocol. Others, for example Eagle Consulting, have created different HIPAA audit protocols which serve different management purposes. Still other audit protocols exist; for example, an audit of an organization’s firewall to validate that best practices were used. The key difference here is that an audit is an evaluation of compliance that requires physical evidence to prove such compliance. For example, to validate that user access credentials were removed, a list of employees terminated in the last 12 months might be compared to the list of authorized users in Active Directory.
HIPAA specifies a requirement for a periodic “Evaluation” at 164.308(a)(8). The exact wording of this requirement is: “Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s or business associate’s security policies and procedures meet the requirements of this subpart.” Eagle’s interpretation of this requirement are that an organization is obligated conduct one or more periodic evaluations of its compliance. These could include an internal audit, such as the OCR audit protocol detailed above, a Policy audit that evaluates whether the organization’s policies are sufficient for HIPAA compliance, or a technical evaluation such as a network vulnerability analysis.
Finally, we have the definition of a breach at 45 CFR 164.402. The acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy rule requires a very specific and focused “risk assessment” which to determine if there is a “low probability” that the data was compromised. Eagle would also consider the term assessment as interchangeable with analysis. Once again, there is a prescribed methodology that the organization must follow which looks at least 4 specific factors.
Some people may think that we are splitting hairs but there are big differences between a “HIPAA security risk analysis,” a “HIPAA audit” and a “HIPAA breach risk assessment.” For any of these, a buyer should ask for a detailed description of the methodology that will be employed which will eliminate the ambiguity. Readers interested in Eagle’s services are invited to explore Eagle’s Risk Assessment Services for Hospitals or Risk Assessment Services for Physician Practices and request a quote.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
