HHS publishes new guidance on conducting risk analysis

Under the administrative safeguard provisions of the HIPAA Security Rule, covered entities are required to perform a risk analysis, specifically to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” (45 CFR §164.308(a)(1)(ii)(A)) While this has been a requirement for HIPAA-covered entities since the security rule went into effect in 2005, it has received renewed attention due to stronger enforcement provisions in the HITECH Act and its inclusion as the single security-related measure included in the “meaningful use” rules under which eligible healthcare providers and professionals can qualify for financial incentives to acquire and implement electronic health record (EHR) technology. Following the passage of the HITECH Act, HHS delegated responsibility for enforcement of the security rule to the HHS Office for Civil Rights (OCR); OCR was already responsible for enforcement of the HIPAA Privacy Rule. Part of OCR’s enforcement role includes issuing guidance to covered entities on compliance with the requirements in the Security Rule, and OCR recently published new draft guidance on risk analysis. This may be informative for covered entities in general, and should represent at least a staring point for providers and professionals seeking to demonstrate meaningful use.

The draft guidance issued by OCR relies in large part on references to existing risk management and risk assessment approaches and guidelines contained in several NIST Special Publications, only one of which is specific to HIPAA (Special Publication 800-66, Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule). The most relevant of these NIST guidance documents are Special Publication 800-30, Risk Management Guide for Information Technology Systems, and Special Publication 800-115, Technical Guide to Information Security Testing and Assessment. The HHS Office of the National Coordinator (ONC) also produced a security practice guide for small health care practices in 2008 that serves as a sort of primer for health care providers who need to understand the basic security considerations relevant to their practices, and includes a number of references to more detailed information and guidance materials. Although the ONC small practice guidance document is linked from the new OCR draft guidance, health care practices of any size should not rely on the ONC document alone, as it does not reflect considerations related to the HITECH Act, including meaningful use.

One limitation of the existing government guidance applicable to risk analysis is that substantially all of the guidance is written in a way that focuses on risk assessments of individual information systems, not on organizations overall. This limitation is important because the risk analysis requirement under the HIPAA Security Rule is not limited to systems used by covered entities, but instead address risks to any protected health information held by the organization. It seems reasonable to assume that despite the emphasis of the meaningful use rules on EHR systems, the scope for a risk analysis conducted to satisfy the meaningful use measure should address all potential risks to health information the organization has, not just the data associated with an EHR system. Also, as is likely not lost on private sector health care organizations, there are many sources of risk management and risk analysis guidance outside of materials produced by the U.S. federal government, notably including the ISO/IEC 27000 series of international standards, which covers risk assessment and risk management for information systems, particularly in ISO/IEC 27005 and the risk assessment section of ISO/IEC 27002. Organizations looking for more enterprise-level perspectives on assessing and managing risk can find relevant guidance in ISO 31000, within major IT governance frameworks such as ISACA’s Risk IT Framework based on COBIT or the Risk Management section of the Information Technology Infrastructure Library (ITIL).