News & Resources

Publications & Media

Helpful Guidance from OCR on Conducting a Security Risk Analysis

Health Law Update Sarah E. Coyne

On May 7, 2010, the Office for Civil Rights ("OCR") issued draft guidance to organizations on how to comply with the risk analysis requirement in the HIPAA Security Rule. The guidance provides some insight on how the government expects covered entities and business associates to conduct a risk analysis. Note that this guidance does not relate to the risk of harm analysis inherent in the breach notification process mandated by HITECH and the subsequent DHHS rule. We hope to have additional guidance from the government shortly on that process, but this guidance relates to the risk analysis standard of the HIPAA security rule. This is the first in a series of guidance memoranda from the OCR.

A quick refresher for those of you who are not intimately familiar with HIPAA's Security Rule risk analysis requirements. The Security Rule has a security management process standard that requires organizations to implement policies and procedures to prevent, detect, contain and correct security violations. The security management process standard has implementation specifications that provide instructions to organizations on how to implement the standard. Risk analysis is one of the four required implementation specifications; it requires an organization to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.

Conducting a risk analysis is often an organization's first step in complying with the Security Rule. The findings from the risk analysis are essential in determining how to comply with many of the Security Rule standards and implementation specifications. As you may know, the Security Rule has several implementation specifications that are "addressable" rather than required. This means that an organization has to determine whether an "addressable" implementation specification is reasonable and appropriate, and if it is not, the organization must document why and adopt an equivalent alternative measure provided it is reasonable and appropriate to do so. The results of the risk analysis are critical in assessing whether an implementation specification or an equivalent alternative measure is reasonable and appropriate. For example, organizations can use the information obtained from their risk analysis to:

  • Design appropriate personnel screening processes.

  • Identify what data to backup and how.
  • Decide whether and how to use encryption.
  • Address what data must be authenticated in particular situations to protect data integrity.
  • Determine the appropriate manner of protecting health information transmissions.

The OCR recognizes that there are numerous methods of performing risk analysis, and there is no single method or "best practice" that guarantees compliance with the Security Rule. The OCR does, however, provide specific elements that an organization MUST incorporate into its risk analysis. So make sure your organization uses such elements when conducting your risk analysis. For more information on the elements, refer to the guidance here.

The OCR also references the National Institute of Standards and Technology ("NIST") Special Publication ("SP") 800-66 and NIST SP 800-30, among other NIST publications, as being useful to an organization when conducting a risk analysis.

Although the OCR does not intend the guidance to be a one size fits all blueprint for compliance with the risk analysis requirement, it is an extremely useful tool that provides organizations insight into OCR's expectations regarding risk analysis. We will keep you updated on further deep thoughts from the OCR.

For more information on HIPAA's Security Rule or other Health Law issues, please contact Sarah Coyne at (608) 283-2435 / sarah.coyne@quarles.com or your local Quarles & Brady attorney.