HIPAA Security Risk Analysis
All ePHI associated with a covered entity must be protected as specified in the rules and regulations
under the HIPAA / HITECH Security Rule defined by the OMNIBUS RULE. This includes determining if any
vulnerabilities exist in the system used for managing ePHI which could result in risks to the
confidentiality, availability or integrity of this information.
In addition, measures must be taken to secure this information against any potential anticipated threats
that can be reasonably predicted from known factors, decreasing the risk to a reasonable level.
Security Risk Analysis is the first step toward achieving this goal, and helping to prevent being
sanctioned or fined during Hipaa audits.
Given the looming September deadline listed in the OMNIBUS RULE, now is a good time to review and
update your risk analysis and risk assessment plan before HIPAA / HITECH goes into effect. The security
rule does not require specific methods of analysis be utilized as HHS recognizes that different types of
analyses are appropropriate for different types of covered entities, business associates, and the specifics
of the ePHI.
If you are applying for Medicare / Medicaid incentive funds then you also have to demonstrate
compliance with the meaningful use criteria. Meaningful Use Core Measure 15 is concerned with risk
analyses. This measure is met by conducting a security risk assessment and correcting any identified
One area that many covered entities fail to attend to, is ensuring all updates are installed as they are
released. It is the responsibility of the covered entity and any business associates to ensure the most
recent version of the software used for risk analyses is being used. While most programs will
automatically install updates or send a notification when there are updates, some may not.
Software that is not the most recent version may respond to requests for risk analyses based on old
definitions and factors. Should this occur it is possible subsequent risk analyses will be based on only for
factors resulting from old definitions and will not be capable of looking for newer threats.
This places covered entities at increased risk for breaches and may result in significant fines during Hipaa
audits. Additionally, this may result in failing to meet the objectives of meaningful use core measure 15,
resulting in the inability to pass the required number of meaningful use areas necessary for receiving
It is also crucial that all business associates (BA’s) are fully compliant with the security rule and conduct
regular risk analyses. They must also put into place corrective action to bring risk levels down to what is
considered a “reasonable” level. In this case, reasonable would be defined in the BA contract. Similarly,
BA’s must use the most recent version of software programs such that each risk assessment is based on
the newest definitions or factors increasing the accuracy of the results.
Covered entities cannot automatically assume there is a correlation between when updates are released
for the software they use and when updates are released for software used by BA’s. It is possible that
each BA is using a different methodology for conducting risk analyses as well as different software,
depending on the functional capacity they provide for the covered entity.For more info please visit our