Proposed HIPAA Security Rule Addresses Failure to Have an Appropriate Risk Analysis

Hall Render Advisory Services has been reviewing the proposed changes to the HIPAA Security Rule (the “Proposed Rule”) and has identified several topics that warrant attention for all affected entities. In response, we’re launching a series of articles that take a closer look at these critical topics and provide guidance on how to prepare for potential changes. We begin this series with a review of the HIPAA Security Risk Assessment process, an essential component in aligning your organization with the evolving regulatory landscape.

The Proposed Rule would strengthen requirements for performing a HIPAA Security Risk Assessment (See D. Section 164.308(a)(2)(i)). The Office for Civil Rights (“OCR”) has consistently cited risk analysis-related failures as a basis for noncompliance. In fact, during audits of 166 covered entities and 41 business associates in 2016 and 2017, OCR found that only 14 percent of covered entities and 17 percent of business associates had satisfied their obligations with respect to risk analyses. According to the OCR, the audited entities generally failed to:

• Identify and assess the risks to all of the ePHI in their possession or even develop and implement policies and procedures for conducting a risk analysis.
• Identify threats and vulnerabilities to consider their potential likelihoods and effects, and to rate the risk to ePHI.
• Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
• Conduct risk analyses consistent with policies and procedures.”

See 90 F.R. 898, 940 (January 6, 2025).

Challenges Highlighted by the Proposed Rule

This is challenging for all covered entities, but particularly for those that have small IT teams or rely on third parties to perform the tasks required by the HIPAA Security Rule. The Proposed Rule cites several key reasons why risk assessments are not being performed correctly:

1. Failure to Identify and Assess Risks: Many entities do not identify and assess the risks to all of the ePHI in their possession or develop and implement policies and procedures for conducting a risk analysis.
2. Inadequate Identification of Threats and Vulnerabilities: Entities often fail to identify threats and vulnerabilities, consider their potential likelihoods and effects and rate the risk to ePHI.
3. Lack of Periodic Review and Updates: Risk analyses are not reviewed and updated periodically in response to changes in the environment and/or operations, security incidents or the occurrence of significant events.
4. Non-compliance with Policies and Procedures: Risk analyses are not conducted consistently with policies and procedures.
5. Failure to Document Efforts: Entities commonly fail to document efforts to develop, maintain and update policies and procedures for conducting risk analyses.
6. Reliance on Third Parties: Many entities rely on outside persons to manage or perform risk analyses, but these outside persons frequently fail to meet the requirements of the Proposed Rule.
7. Incorrect Assumptions: Entities incorrectly assume that a purchased security product satisfies all of the Proposed Rule’s requirements.
8. Lack of Holistic Risk Analysis Programs: Numerous investigations reflect the failure of entities to develop and implement holistic risk analysis programs.
9. Specific Case Examples: The proposed rule provides specific case examples, such as a health system’s failure to conduct a compliant risk analysis in the aftermath of a ransomware attack, and a medical center’s failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI held by the medical center.

Implementation Specifications

OCR has relied on many different sets of guidance to help covered entities and business associates understand the need to perform a risk analysis and has provided tools to help those organizations.  These tools and guidance have not proven effective and require more experienced resources to understand how to assess an organization’s risks. Organizations need a framework for implementing a risk management process that can be easily understood by leadership and IT.

The Proposed Rule would establish eight implementation specifications for a written assessment that would require the regulated entity, at a minimum, to perform and document all of the following:

1. Review Technology Asset Inventory and Network Map: Identify where ePHI may be created, received, maintained or transmitted within the entity’s information systems.
2. Identify Threats: Identify all reasonably anticipated threats to the confidentiality, integrity and availability of ePHI.
3. Identify Vulnerabilities: Identify potential vulnerabilities and predisposing conditions to the entity’s relevant electronic information systems.
4. Assess Security Measures: Document the security measures used to protect the confidentiality, integrity and availability of ePHI.
5. Determine Likelihood of Threat Exploitation: Make a reasonable determination of the likelihood that each identified threat would exploit the identified vulnerabilities.
6. Determine Impact of Threat Exploitation: Make a reasonable determination of the potential impact of each identified threat should it successfully exploit the identified vulnerabilities.
7. Assess Risk Level: Create an assessment of risk level for each identified threat and vulnerability.
8. Evaluate Business Associate Agreements: Assess risks to ePHI posed by entering into or continuing a business associate agreement or other written arrangement with any prospective or current business associate.

Additionally, the Proposed Rule specifies that the written assessment should be reviewed, verified and updated on an ongoing basis, at least once every 12 months, and in response to changes in the entity’s environment or operations that may affect ePHI.

The Hall Render Advisory Services Advantage

The changes outlined in the Proposed Rule will require substantial time and attention from covered entities and business associates. Hall Render Advisory Services brings the experience and knowledge needed to help your organization navigate these changes. Our advisors have hands-on experience developing compliance policies and procedures, aligning business operations with IT security requirements and integrating HIPAA security into your governance framework and decision-making processes.

Our Approach

1. Assess Your Current State: Many organizations fall short of current HIPAA requirements—only 14% of OCR investigations find full compliance. We start by evaluating your existing policies, procedures and security practices to identify where you stand.
2. Provide a Gap Assessment Report: We deliver a detailed report outlining what’s needed to meet risk assessment requirements. This includes actionable insights to help build an effective, governance-driven risk management program.
3. Determine How to Improve HIPAA Security: Our advisors create a tailored roadmap to guide your organization in prioritizing and implementing changes to your security processes. This plan is designed to fit your resources and enhance overall security compliance.

Performing risk assessments correctly is not just a regulatory requirement but a critical component of safeguarding patient data and sustaining trust. Organizations must commit to comprehensive, dynamic and expertly managed risk analysis processes to effectively protect ePHI and ensure compliance with HIPAA. Hall Render Advisory Services brings the knowledge, skills and experience to build a process to address your specific needs.

Contact us today to learn more about how we can build a review of your HIPAA security environment by starting with your risk assessment processes. We can help your organization improve its security posture quickly and at fixed fee rates, structured to fit the size of your organization.

If you have any questions, please contact: 

• Dan Cumberland at dcumberland@hallrenderas.com or (443) 951-7050;
• Mark Branstetter at mbranstetter@HallRenderAS.com or (615) 423-6651;
• Michael Latcha at mlatcha@hallrenderas.com or (269) 207-6382;
• John Norling at jnorling@hallrenderas.com or (214) 615-2010;
• Jen Vaught at jvaught@hallrenderas.com or (508) 930-2985; or
• Your primary Hall Render Advisory Services contact. 

Hall Render and Hall Render Advisory Services blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.