• E-mail
• Print
• RSS

What are the requirements for a risk analysis according to the final HIPAA security rule?

HIPAA Weekly Advisor, May 2, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: What are the requirements for a risk analysis according to the final HIPAA security rule?

A: Once a HIPAA team is formed and upper management sponsorship is obtained, a risk analysis is the first step towards security rule compliance.

The security rule requires covered entities to analyze their risk to determine what unauthorized uses, disclosures, and data integrity losses would occur if security measures were not in place. This risk analysis is an implementation specification. These specifications are a subset of the security management process standard, itself a part of the security rule's administrative safeguards. The other implementation specifications for this standard include developing a risk management program, developing a sanction policy, and performing ongoing information system activity reviews.

A risk analysis helps support the flexible and scalable characteristics of the security rule. This means that covered entities can use the results of the risk analysis to determine whether certain addressable implementation specifications have to be dealt with. The results of the risk analysis will require some (mostly larger) covered entities to tackle all implementation specifications, while smaller covered entities that are less information-systems intensive may only have to tackle only the required specifications.

In addition, the security rule standards do not apply to any information in the risk analysis documentation, unless the documentation contains PHI. However, as with any other critical business records, it would be a good practice to ensure this information is kept secure and confidential.

A covered entity must know what it's trying to protect before it can actually protect it. The risk analysis will help determine the following:

• What PHI exists
• Where PHI flows and is stored throughout the covered entity's and business partners' information systems
• What the threats and vulnerabilities are to that PHI
• What could happen if the confidentiality of the PHI is breached
• When and how PHI should be protected

You need the results of a risk analysis before you can move forward with any security rule compliance plans. These results can also help prove that upper management buy-in and other organizational efforts are not futile and can help secure a budget.

A risk analysis will help determine what policies, procedures, and technologies you'll need in order to meet HIPAA requirements and implement general best practices. This analysis might help you build a solid security infrastructure from scratch, or supplement an existing security infrastructure.

In addition, a risk analysis will reveal the beneficial information that can help you develop an ongoing security strategy. That strategic information could include the following:

• Whether or not encryption is necessary to protect the confidentiality of PHI
• How comprehensive and detailed the security audit function needs to be
• What data needs to be backed up
• Who needs access to specific information within the organization
• What access and authentication controls should be implemented
• How much detail will be required for contingency plans and security incident plans
• What physical facility controls and systems need to be put in place to strengthen the organization's overall security infrastructure
• How information security and IT in general can be more tightly integrated with your organization's overall business objectives

Editor's note: Answered by Kevin Beaver, CISSP, founder and president of Atlanta-based information security consulting firm Principle Logic, LLC. 

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive