A key reason for risk analysis failure during an audit by the HHS Office for Civil Rights is mistaking a technical or non-technical evaluation for a risk analysis.
That is the key takeaway from a recent presentation by Ilana Peters, former Acting Deputy Director of the HHS Office for Civil Rights, and Bob Chaput, CEO of Clearwater Compliance. The discussion was hosted via webinar by Clearwater Compliance.
In this discussion, Peters shared insights with Covered Entities and Business Associates based on her time working for the Office of Civil Rights, which is responsible for conducting HIPAA Audits. As HHS.gov notes, “The audit program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations.”
Don’t Confuse Assessments
Peters and Chaput highlighted three distinct assessments required by the HIPAA regulations, specifically in 45 C.F.R. §164.308(a). The three assessments are related but not the same thing, which can lead to confusion, Peters explained. The assessments are:
- Compliance Assessment (aka Non-Technical Evaluation or Gap Analysis): This purely assesses compliance with the HIPAA regulations and primarily focuses on policies, procedures, training, and adherence to the policies and procedures.
- Technical Assessment (aka Technical Security Evaluation): This is the class of assessments that involve evaluating and verifying whether technical safeguards are effective. Examples include penetration testing, vulnerability scans, and phishing or social engineering tests.
- Risk Analysis: The risk analysis (a.k.a. risk assessment) looks at the security of and risks to the entity and the information that the entity maintains.
Often the entities being audited would think they were presenting a risk analysis when in fact they merely presented compliance assessments and/or technical evaluations like penetration testing results, according to Peters’ experiences. She emphasized that being compliant and being secure are overlapping but different things.
Make the Risk Analysis Comprehensive
As Peters and Chaput described it, the purpose of a risk analysis is to “identify, rate and prioritize all risks” to an entity, especially risks to the confidentiality, integrity, and availability of the ePHI and other information assets. This requires going beyond a checklist approach, which is the other kind of insufficient risk analysis that the OCR audit often identifies.
An effective risk analysis involves a comprehensive understanding of the entire entity, including a reasonable and appropriate level of detail on all assets of the entity, how data is created, managed, and destroyed, and the pertinent threats and vulnerabilities. In their guidance, OCR lays out 9 essential elements they expect from a risk analysis process in addition to referencing the detailed guidelines described in NIST Special Publication 800-30. Additionally, Peters was quick to point out that the Security Risk Assessment Tool provided by OCR and the Office of the National Coordinator for Health Information Technology at HealthIT.gov is only meant to be a starting point for entities to identify areas that will require more analysis.
The last point Peters and Chaput made about the risk analysis is that it is not a “one-and-done” assessment. Ongoing documentation, engagement, management, and updates are necessary, and not just because OCR expects them. Entities are more secure professionally and financially and can provide better protection to their patients and customers when they maintain a living, updated risk analysis.
Eagle Consulting Partners provides all three of the assessments required by the HIPAA regulations in addition to risk management support and other HIPAA consulting. Contact us for more information about addressing your HIPAA and security needs.