The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) Risk Analysis requires a covered entity or business associate to “Conduct an accurate and through assessment of the potential risks an vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

In the new Audit Protocols published by the Office for Civil Rights (OCR) in a April 2016 found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/ has a section about HIPAA Security risk analysis and assessment. In the Audit Inquiry column of the protocols, the instructions to the auditor, for the CFR section above outlines what your organization will need to show to OCR not if, but when your organization is audited:

Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?

Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?

Determine how the entity has implemented the requirements.

Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated.

Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted. Evaluate and determine whether the risk analysis or other documentation contains:

• A defined scope that identifies all of its systems that create, transmit, maintain, or transmit ePHI
• Details of identified threats and vulnerabilities
• Assessment of current security measures
• Impact and likelihood analysis
• Risk rating

Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any. Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.

If there is no prior risk analysis or other record, obtain and review the two (2) most recent written updates to the risk analysis or other record, if any. If the original written risk analysis or other records have not been updated since they were originally conducted and/or drafted, obtain and review an explanation as to the reason why.

Practically, your organization will need to have at least the following to provide to OCR for an audit or investigation:

• Policies and procedures that state how your organization conducts an assessment, what is your methodology, who does the assessment, and how often your organization does an a risk analysis and assessment; and
• The risk analysis and assessment documentation for 2016, 2015 and before, that includes
  • All your organization’s systems that create, transmit or maintain ePHI
  • The details of the treats and vulnerabilities specific to your organization
  • An outline and assessment of your organization’s current security measures and controls
  • An analysis of the impact and likelihood of the specific threats and vulnerabilities
  • A risk rating of your organization’s threats and vulnerabilities; and
• Your organization’s documentation that you developed prior to doing the risk analysis and assessment, such as the inventory of all your organization’s systems and tools, such as tablets, laptop, and clinical tools connected to your organization’s network that create, maintain or transmit ePHI.

Note: the OCR Audit Protocols in all three HIPAA areas of security, privacy and breach can be used to outline the documentation that you organization will need when you are audited, and it you are investigated.

In conclusion: OCR is asking each covered entity and each business associate to do a HIPAA Security Risk Analysis/Assessment each year predicting your organization’s risks and vulnerabilities, and how your organization will mitigate or has mitigated the risks and vulnerabilities specific to your organization.

Don’t forget there will be new risks and vulnerabilities during each year as your organization adds or changes services, has new technology and tools, and if your organization moves to a new office or building.