The HI-TECH Act created a new requirement that the Department of Health and Human Services (HHS) issue annual guidance on certain provisions of the HIPAA Security Rule. On May 7, 2010, HHS issued the first in a series of guidance documents entitled: “HIPAA Security Standards: Guidance on Risk Analysis.”

HHS states that the Guidance “clarifies the expectations of [HHS]” regarding meeting the risk analysis requirements in the Security Rule. A risk analysis is expressly required by the Security Management Standards (45 CFR 164.308) of the Security Rule and the Guidance also explains that HHS believes a risk analysis is required in order for a Covered Entity or Business Associate to assess the “addressable” implementation specifications contained in standards throughout the Security Rule. HIPAA allows for a flexible approach in performing a risk analysis that is tailored to the size and nature of the organization. However, the Guidance does provide a list of certain required elements of a risk analysis and a description of what is expected for each requirement. The required elements include:  

  • Proper Scope of Analysis  
  • Data Collection  
  • Identify and Document Potential Threats and Vulnerabilities  
  • Assess Current Security Measures  
  • Determine the Likelihood of Threat Occurrence  
  • Determine the Potential Impact of Threat Occurrence  
  • Determine the Level of Risk  
  • Finalize Documentation  
  • Periodic Review and Updates to the Risk Analysis.

The Guidance also adds new definitions of “vulnerability,” “threat,” and “risk,” which are terms not currently defined in the HIPAA regulations.

This new requirement for issuance of this Guidance was included in the HI-TECH Act provisions making certain Security Rule standards applicable to Business Associates (Section 13401 of the HI-TECH Act). However, those Security Rule standards have long been applicable to Covered Entities and the Guidance is equally applicable to both Covered Entities and Business Associates.

The Security Rule requires organizations to update and document security measures “as needed.” Importantly, the Guidance explains that in order to satisfy this requirements organizations should “conduct continuous risk analysis to identify when updates are needed.” Further, in addition to making “as needed” changes, the Security Rule requires organizations to conduct periodic risk analysis. Neither the Security Rule nor the Guidance proscribe a time period required for periodic risk analysis. However, the Guidance states that a “truly integrated risk analysis and management process is performed as new technologies and business operations are planned” and explains that in the following situations “the potential risk should be analyzed to ensure the e-PHI is reasonably and appropriately protected”:

  • After a security incident  
  • Upon a change in ownership  
  • Upon turnover in key staff or management  
  • When planning to incorporate new technology

The Guidance on Risk Analysis is issued in draft form. HHS is accepting comments for consideration on these materials. Comments may be submitted to HHS via email: OCRPrivacy@hhs.gov. No time period for comment submission was announced by HHS.