Advertisement

May 21, 2013

Risk Analysis – a Critical Step One in Safeguarding e-PHI

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm
Pamela A. Scott
Poyner Spruill LLP
Monday, July 5, 2010
Administrative & Regulatory / Communications, Media & Internet / Health Law & Managed Care
All Federal
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

For hospitals and other health care providers working to secure electronic protected health information (e-PHI), a comprehensive risk analysis is a critical first step. The draft guidance on risk analysis issued on May 7, 2010, by the Department of Health and Human Services’ Office for Civil Rights (OCR) offers a starting point to help hospitals and other providers identify and implement the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of e-PHI. The guidance, which is available online at www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidanceintro.html, provides helpful insight into the expectations of OCR, the agency responsible for enforcing the HIPAA Privacy and Security Rules.

The HIPAA Security Rule has always required health care providers, health plans, and other covered entities to conduct an accurate and thorough analysis of potential risks to the confidentiality, integrity, and availability of e-PHI, but it does not specify how to go about conducting an effective assessment. The risk analysis requirement has received heightened attention recently in the wake of stronger enforcement provisions included in the HITECH Act for violations of the HIPAA Privacy and Security Rules, as well as the inclusion of this security measure in the “meaningful use” rules under which eligible health care providers can qualify for the electronic health record incentives program adopted last year.

OCR’s draft guidance recommends that organizations include the following key steps in their risk analysis.
Define the scope of the risk analysis.

  • Identify where e-PHI is stored, received, maintained, or transmitted.
  • Identify and document reasonably anticipated threats and vulnerabilities that could lead to improper disclosure and access.
  • Evaluate current security measures to safeguard e-PHI.
  • Determine the likelihood and impact of potential risks to the confidentiality, integrity, and availability of e-PHI.
  • Determine the level of risk for reasonably anticipated threats and vulnerabilities identified during the analysis.
  • Document the risk analysis.
  • Periodically review and update the risk analysis.

OCR’s guidance indicates that the risk analysis process should be an ongoing process in order to identify new threats to the confidentiality, integrity, and availability of e-PHI and to identify and implement necessary updates, as required by the Security Rule. The guidance recognizes that the frequency of the risk analysis will vary according to the specific needs and circumstances of each organization. It also wisely notes the value of incorporating risk analysis in planning on the front end for an organization’s new technologies and operations. OCR’s reported plan to conduct compliance reviews for all HIPAA data breaches involving data for more than 500 individuals highlights the importance of implementing a continuing, comprehensive risk analysis.

© 2013 Poyner Spruill LLP. All rights reserved.

About the Author

Pamela A. Scott
Partner

Pam represents businesses and professionals in administrative and civil litigation and appeals pertaining to a wide variety of regulatory compliance issues and professional licensure, as well as rulemaking proceedings before the North Carolina Rules Review Commission. Pam’s health care practice focuses on certificate of need (CON) litigation and appeals; regulatory compliance and professional licensure matters; and matters involving compliance with HIPAA privacy and security rules, the HITECH Act, and other privacy laws. She has assisted both covered entities and business associates...

pscott@poynerspruill.com
919-783-2954
www.poynerspruill.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.