Many health care organizations are failing to properly implement the HIPAA Security Rule’s requirements for risk analysis and risk management—key components in safeguarding the confidentiality, integrity and availability of electronic protected health information (“ePHI”). According to the January 6, 2025, HHS Proposed Rule (the “Rule”), most regulated entities have not adequately performed these critical processes. This widespread noncompliance highlights a significant vulnerability in the protection of sensitive health information. The HHS Office for Civil Rights recently initiated an initiative to more actively enforce failure to perform a comprehensive, enterprise-wide risk analysis, and already has penalized several organizations under that initiative.
What Is a Security Risk Assessment (“SRA”)?
During an SRA, a covered entity or business associate must: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization” (HIPAA § 164.308(a)(1)(ii)(A)).
Currently, SRA components include:
- Identifying all ePHI within your organization;
- Identifying sources of ePHI; and
- Identifying human, natural and environmental threats to information systems that contain ePHI.
The Rule, if adopted, would add even more components to this requirement and make it more onerous to perform.
What Does Risk Management Involve?
Per Section K of the Rule, the covered entity is required to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [(the General Requirements of the Security Rule)].”
Why Do Risk Analysis and Risk Management Not Get Appropriately Completed?
Currently, the Security Rule does not prescribe a specific risk analysis or risk management methodology, although the Rule is proposing to establish more rigorous frameworks for both tasks. Performing risk analysis and risk management can be difficult due to the levels of detail and variations that are possible within different covered entities. Additionally, confusion regarding where to start and what approach to take can lead to critical items not being appropriately completed.
Definitions
- Vulnerability is defined in NIST SP 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
- An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
- There are Natural Threats, Human Threats, and Environmental Threats
- An adapted definition of risk, from NIST SP 800-30, is:
- “The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur. …[R]isks arise from legal liability or mission loss due to:
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man-made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system.”
- “The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur. …[R]isks arise from legal liability or mission loss due to:
What Does a Risk Assessment Provide You?
Organizations should use information from their assessment to implement security measures to perform a variety of tasks, including:
- Design personnel screening processes;
- Identify and strategize data backup;
- Determine where and how encryption should be used;
- Determine what authentication may be required to protect data integrity; and
- Determine which policies and procedures may need to be created or improved to protect ePHI.
OCR Provides an SRA Tool or Worksheet to Assist You
The SRA Tool can be a useful resource for conducting risk assessments, but many organizations find its structure complex and difficult to navigate. It requires a clear understanding of key areas that may not be managed by IT, and its structure can be challenging to follow. Additionally, references to NIST and other organizational structures can add further confusion. Many organizations struggle with determining who should be involved in the process and how to effectively apply the tool to their unique environment. Without proper guidance, interpreting the tool’s findings and implementing necessary risk management measures can be overwhelming.
Simplifying the SRA Tool
There are several risk assessment frameworks that can help you perform a risk assessment, and the SRA Tool is a good starting point. However, understanding where to begin is crucial.
The SRA Tool is divided into seven sections, and the first step is to identify the threats and vulnerabilities that could impact your organization. Hall Render Advisory Services can provide experienced guidance, including a structured matrix to help interpret these threats and vulnerabilities to be effectively used in completing the risk analysis. By asking the right questions and establishing clear objectives for each section, organizations can streamline the process and ensure the appropriate individuals are involved in addressing specific areas of risk. Hall Render Advisory Services offers tailored support to help organizations understand the risk questions and complete the tool more efficiently, ensuring compliance and establishing the right risk management program for your organization.
The Hall Render Advisory Services Advantage
Hall Render Advisory Services offers experienced advisors who can assess your current risk assessment and risk management processes to efficiently identify gaps and ensure compliance with regulatory requirements.
A fixed fee assessment of your existing environment will deliver a Security Risk Assessment that establishes the framework for your Security and Risk Management policies and procedures. Contact Hall Render Advisory Services today to get started.
If you have any questions, please contact:
- Dan Cumberland at dcumberland@hallrenderas.com or (443) 951-7050;
- Mark Branstetter at mbranstetter@HallRenderAS.com or (615) 423-6651;
- Michael Latcha at mlatcha@hallrenderas.com or (269) 207-6382;
- John Norling at jnorling@hallrenderas.com or (214) 615-2010;
- Jen Vaught at jvaught@hallrenderas.com or (508) 930-2985; or
- Your primary Hall Render Advisory Services contact.
Hall Render and Hall Render Advisory Services blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
