Risk Analysis is the Cornerstone of Compliance

During HHS's phase one audits, OCR reported that two-thirds of covered entities had not performed an "adequate" risk analysis and therefore "have not identified the risks and vulnerabilities of their environment and, therefore, are failing to adequately safeguard ePHI." According to guidance from HHS,

"Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI."

The HIPAA Security Rule risk analysis is also a core requirement of meaningful use attestation. Learn more about risk analysis on our resources page.

Use our HIPAA FLIGHTPLAN compliance management software to get control of your risk analysis and your entire Security Rule compliance program.

CE's with an Adequate Risk Analysis

Source: HHS / OCR, September 2014 NIST/OCR Security Conference
 

Look Beyond your EHR Software

While EHR software typically holds the majority of ePHI in an organization, only 5% of ePHI 500+ breaches involved the EHR software. The bulk of ePHI breaches (95%) involved some other device that stored or provided access to ePHI. Mobile devices alone accounted for 42% of breaches.

A thorough and accurate risk analysis takes into consideration everywhere ePHI lives and moves in your environment. Think through your daily operations that involve ePHI and look for less obvious places where ePHI may reside or be transmitted. Then, consider what threats and vulnerabilities are exposed to that particular ePHI location or movement.

When considering the risks that threaten the security of your ePHI, remember that security covers three areas - confidentiality, integrity, and availability. For example, if your EHR is hosted in the cloud and you only have a single internet connection, how will your ePHI continue to be available if there is an extended outage of your internet service?

Need help? Consider our coaching and consulting services.

Location of 500+ ePHI Breaches

Source: HHS / OCR, September 2014 NIST/OCR Security Conference