I just got back from another seminar trip, this one to New England. I always ask my seminar attendees whether they have completed a formal, written risk analysis. I shouldn’t be surprised that in Boston no one raised a hand, because at every seminar less than 10 percent raise their hands that they have done one. Admittedly, in some cases, someone may have done one in the past, it is filed away somewhere, and they could find it if they looked for it. But in those cases, it appears that those covered entities still are not complying with the Security Rule’s Evaluation standard, which requires periodic updates of earlier risk analyses. I recommend an annual evaluation for larger and more risky entities, such as mental and behavioral health practices. A less risky practice, such as a dentist or physical therapy practice that does not have professional athletes as patients may be able to update their risk analysis biannually.
45 Code of Federal Regulations § 164.308(a)(1) makes risk analysis a required implementation specification under the Security Management Process Standard of the Security Rule. Section 164.316(b) requires periodic updates of the risk analysis in the Evaluation Standard. And even if HIPAA did not require risk analysis, you should do it anyway to ensure that your security measures are adequate. If you implement a security measure without performing a risk analysis, you are just guessing.
And performing risk analysis would seem even more important now with the enhanced enforcement discussed in my June 17th blog entry below. Failing to perform risk analysis would certainly constitute willful neglect, which dramatically increases the civil money penalties and prevents DHHS from waiving them.
Performing risk analysis is not difficult. It is largely common sense. The Security Rule does not specify how to perform risk analysis, but I have found a seven-step process to work very well.
1. Assemble a good team.
2. Inventory assets. What do you have to protect? To the extent that you are automated, the data resides in a system, and you must protect all of the components of the system to protect the data.
3. Determine risks to that data and the system components.
4. Quantify the risks. How likely are the risks to occur, and how harmful will they be if they do occur?
5. Identify potential security measures.
6. Select reasonable, cost effective security measures by balancing the cost of the security measure against the harm that would occur if the measure is not implemented.
7. Test and revise your security measures.
My HIPAA Document Resource Center CD, 4th ed., which accompanies my Compliance Guide to HIPAA and the DHHS Regulations (4th ed.), contains a risk analysis toolkit that leads you through this process step-by step. Both the book and the CD are available on this website. If you want help with conducting your risk analysis or any other aspects of your HIPAA compliance efforts, call our HIPAA consulting company, EMR Legal, at 913-385-9367.