Quite often, my HIPAA clients and those who read my blog ask what the difference is between a risk analysis and a risk assessment. In a global sense, there is no real difference. Although many definitions of risk analysis exist, the one from the “Essential Guide to Business Continuity and Disaster Recovery Plans” is a good one: “Risk analysis is the process of defining and analyzing the dangers to individuals, businesses, and government agencies posed by potential natural and human-caused adverse events.” Wikipedia, on the other hand, defines “risk assessment” as “the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R): the magnitude of the potential loss (L), and the probability (P) that the loss will occur.”
Thus, in a global sense, risk analysis and risk assessment are the same thing. But do they differ under HIPAA? The requirement for risk analysis is spelled out in the risk analysis requirement in § 164.308(a)(1)(ii)(A). In Office for Civil Rights, “Guidance on Risk Analysis Requirements under the HIPAA Security Rule,” DHHS notes that “conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.”
The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states: RISK ANALYSIS (Required): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
Many other DHHS documents substitute “risk assessment” for risk analysis, confirming the conclusion above that in a global sense there is no real difference, such as this one, for example.
The one area of differentiation in HIPAA’s rules is in the breach reporting rules. It requires “risk assessment” of breaches to determine the probability of impermissible use or disclosure compromising protected health information, thereby requiring breach notification.” This standard, in the so-called “Omnibus Rule,” replaces the previous harm standard, which had focused on whether the breach would cause harm to the subject of the breach. Under the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and the Genetic Information Nondiscrimination Act (“GINA”), Other Modifications to the HIPAA Rules: Final Rule, which was published in the Federal Register on Friday, January 25, 2013, the following risk assessment factors are used in assessing the probability of impermissible use or disclosure compromising protected health information (“PHI”), thereby requiring breach notification.This “probability standard” replaces the “harm standard,” became effective March 26, 2013, and required compliance on September 23, 2013, by covered entities and business associates.
Risk Assessment Factors. The risk assessment factors listed at 78 Federal Register 5695, are as follows:
“Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [HIPAA Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors”:
(2)(i). “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.” In the risk assessment, examine the sensitivity of the identifiers involved and the likelihood of re-identification or linkage to other information to determine probability of impermissible use or disclosure. The “identifiers of the individual or of relatives, employers, or household members of the individual” are at 45 CFR 164.514(b)(2)(i):
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
( 1 ) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
( 2 ) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code.
(2)(ii). “The unauthorized person who used the protected health information or to whom the disclosure was made.” In the risk assessment, examine “whether the unauthorized person who received the information has obligations to protect the privacy and security of the information,” [78 Federal Register 5643] and the likelihood of re-identification, discussed above with respect to (2)(i), to determine probability of impermissible use or disclosure. The final rule expressly includes a factor that would require consideration of the re-identifiability of the information, as well as a factor that requires an assessment of the unauthorized person who used the protected health information or to whom the disclosure was made (i.e., whether this person has the ability to re-identify the affected individuals). [78 Federal Register 5644] For more on re-identification, see 45 CFR 164.514(c): Implementation specifications: re-identification.
(2)(iii). “Whether the protected health information was actually acquired or viewed.” In the risk assessment, consider the distinction between actual acquisition or view of unsecured protected health information versus the opportunity for the information to be acquired or viewed, to determine the probability of impermissible use or disclosure, as the following example in the Final Rule illustrates: “[I]f a laptop computer was stolen and later recovered and a forensic analysis shows that the protected health information on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the entity could determine that the information was not actually acquired by an unauthorized individual event though the opportunity existed.” [78 Federal Register 5643]
(2)(iv). “The extent to which the risk to the protected health information has been mitigated.” In the risk assessment, “consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised,” [78 Federal Register 5643] as the following example in the Final Rule illustrates: “Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed,” . . . and “acknowledge that the recipient of the information will have an impact on whether the covered entity [or business associate] can conclude that an impermissible use or disclosure has been appropriately mitigated.”
But regardless of whether the Security Rule requires a risk analysis of all risks to PHI and the Omnibus Rule requires as risk assessment of the probability of a breach constitutes a low probability that the protected health information has been compromised, they are really the same thing: a risk analysis and risk assessment. It really doesn’t matter what you call it—analysis or assessment—you just have to do it and document it.