When it comes to complying with the requirements of the Healthcare Information Portability and Accountability Act (HIPAA) regarding electronic protected health information (ePHI), don’t confuse a gap analysis with a risk analysis, the Office of Civil Rights reminds healthcare providers in a recent bulletin.

A gap analysis can help providers identify areas of vulnerability related to ePHI privacy and security, but it is not a substitute for the more comprehensive risk analysis and corrective action plan required under HIPAA.

The HIPAA Security Rule requires covered entities—and their business associates—to “conduct a thorough and accurate assessment of the risks and vulnerabilities to ePHI” as a first step toward identifying and implementing the appropriate safeguards in their practices and institutions. Some organizations might think they have done all the necessary work to know where improvements are needed in order to protect their ePHI, when, in fact, what they have accomplished is only a gap analysis. This work is only the beginning of the more detailed and in-depth examination required to complete a risk assessment and fully meet the rule’s provisions, the bulletin notes.

While useful, a gap analysis provides only a “high level overview of the controls in place that protect ePHI without engaging in the comprehensive evaluation required by a risk analysis,” according to the bulletin. A gap analysis offers a narrowed review of the enterprise to determine whether certain safeguards required by the Security Rule are in place. A risk analysis identifies specific vulnerabilities and risks across the enterprise for the purpose of following through with implementation of modifications and corrections to bring those risks to an appropriate and reasonable level.

Although the Security Rule does not require a specific methodology or format for the risk assessment, it does require that the risk assessment incorporate certain elements. Following is a list of some of these key elements:

• The risk assessment should be wide in scope, including all of an entity’s ePHI regardless of electronic medium or where it is created, received, maintained or transmitted.

• Entities should consider all locations and information systems for ePHI in the risk assessment, including workstations and servers, applications, mobile devices, communications and equipment.
  Although the Security Rule does not dictate the frequency of risk assessments, they should be considered an ongoing process and be reviewed and updated regularly.

• Documentation of the risk assessment should demonstrate that it was conducted in a comprehensive and thorough manner.

• Organizations should assess and assign risk levels to the vulnerabilities identified so resources and corrective actions can be prioritized to address the most significant problems first.

• The risk assessment should identify technical as well as non-technical vulnerabilities, including incorrectly implemented information systems.

 

Risk Analysis: The Security Rule does not require a specific methodology to assess the risks to ePHI nor does it require risk analysis documentation to be in a specific format. However, there are certain elements common to a risk analysis that should be incorporated into an entity’s risk analysis process. 

• Scope The risk analysis should consider the potential risks to all of an entity’s ePHI, regardless of the particular electronic medium in which it is created, received, maintained, or transmitted, or the source or location of its ePHI.

• Data Collection When considering the potential risks to its ePHI, entities should identify all of the locations and information systems where ePHI is created, received, maintained, or transmitted. Such an inventory should consider not only workstations and servers, but also applications, mobile devices, electronic media, communications equipment, and networks as well as physical locations.

• Identify and Document Potential Threats and Vulnerabilities  Be sure to identify technical as well as non-technical vulnerabilities. Technical vulnerabilities can include holes, flaws, or weaknesses in information systems; or incorrectly implemented and/or configured information systems.

• Assess Current Security Measures Assess and document the effectiveness of current controls, for example the use of encryption and anti-malware solutions, or the implementation of patch management processes.

• Determine the Likelihood and Potential Impact of Threat Occurrence Determine and document the likelihood that a particular threat will trigger or exploit a particular vulnerability as well as the impact if a vulnerability is triggered or exploited.

• Determine the Level of Risk Assess and assign risk levels for the threat and vulnerability combinations identified by the risk analysis. Determining risk levels informs entities where the greatest risk is, so entities can appropriately prioritize resources to reduce those risks.

• Documentation Although the Security Rule does not specify a form or format for risk analysis documentation, such documentation should contain sufficient detail to demonstrate that an entity’s risk analysis was conducted in an accurate and thorough manner. If a covered entity or business associate submits a risk analysis lacking sufficient detail in response to an OCR audit or enforcement activity, additional documentation may be required to demonstrate that the risk analysis was in fact conducted in an accurate and thorough manner.

• Review and Update Conducting a risk analysis is an ongoing process that should be reviewed and updated regularly. Although the Security Rule does not prescribe a frequency for performing risk analyses, risk analysis and risk management processes work most effectively when integrated into an entity’s business processes to ensure that risks are identified and addressed in a timely manner.

 

Gap Analysis: A gap analysis typically provides a partial assessment of an entity’s enterprise and is often used to provide a high level overview of what controls are in place to protect ePHI or to identify potential gaps where controls are not in place. Gap analyses may also be used to review an entity’s compliance with particular standards and implementation specifications of the Security Rule.

 

Referance: https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-april-2018.pdf