SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

HIPAA Risk Analysis and Risk Management Program Considerations: Common Pitfalls

Healthcare Assessments | HIPAA Express

According to the United States Department of Transportation, more than 50% of the combined total of fatal and injury crashes occur at or near intersections. It makes sense then for drivers to take special care when navigating these spots on the road.

According to different statistics, we also know that over 90% of the Office for Civil Rights (OCR) HIPAA settlement actions regarding ePHI breaches involved findings of an insufficient risk analysis or risk management program. Similarly, it makes sense for liable organizations to place special concentration on those HIPAA requirements.

Having performed full HIPAA assessments for over 15 years and now having introduced our HIPAA Express service that focuses on that specific section of the rules, we’re going to provide some insight to make that special concentration possible.

In this article, we’ll do a deep dive into the risk requirements and highlight general problems often found in risk analysis/risk management activities so that you can avoid them. Don’t be among that 90%--read on to help ensure HIPAA compliance.

What are the HIPAA Risk Requirements?

The applicable HIPAA requirements are listed below:

Requirement

Details

§164.308(a)(1)(ii)(A)
(Risk Analysis)

Definition: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
What It Means: You must perform risk analysis (as this is the first step to management).

§164.308(a)(1)(ii)(B)
(Risk Management)

Definition: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
What It Means: You should make informed decisions based on the results of the risk analysis required in §164.308(a)(1)(ii)(A) to reduce your risk.

§164.306(a)

Definition: Covered entities and business associates must do the following:(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and (4) Ensure compliance with this subpart by its workforce.
What It Means: The Risk Management requirement asks that you reduce risk—now this very broad statement essentially says that risks and vulnerabilities must be reduced to a reasonable and appropriate level for all the requirements in the HIPAA Security Rule.

Common Pitfalls in HIPAA Risk Analysis/Risk Management

As this language isn’t prescriptive, it often causes confusion—hence the aforementioned 90%.

The fact is, doing a high-level risk assessment isn’t enough. And though many organizations may believe that’s the case, they often fall victim to three common problems:

1. Scope is Too Small

 

In many of its breach investigations, the OCR found that the scope of systems covered in an organization’s risk analysis/management program failed to consider all places ePHI could be located in their environment.

The penalties for violations are so severe that it’s better to be safe than sorry—if you’re handling ePHI as part of your services provided, and you don’t know for sure which systems the ePHI is restricted to, you should assume that all systems in the environment are in scope for HIPAA.

But at the end of the day, it’s very difficult to implement an effective risk analysis/risk management program without truly knowing how ePHI flows through your environment or what systems are involved. As such, identifying ePHI and the various pieces that it touches will be your necessary first step in developing a HIPAA-compliant risk analysis/risk management program—we recommend first segmenting out systems that could receive, transmit, or store ePHI.

2. Inadequate Risk Analysis

 

Figuring out the in-scope systems and locations where ePHI is stored or could be stored will help ensure you perform satisfactory risk analysis, but there are also some great resources to help you build your program that often fly under the radar:

Having a robust risk analysis using the information in these tools can help you for the next step, which is compliance with §164.308(a)(1)(ii)(B)—or control implementation to reduce the risks to a level that is “reasonable and appropriate” to comply with the HIPAA Security Rule requirements.

3. Lack of Formal Reassessment

But after all that, there’s another area among the requirements that a lot of organizations overlook:

164.316(b)(2)(iii) Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

As we’ve laid out, you should complete great risk analysis and then implement controls that address the identified risks to a “reasonable and appropriate” level, but you can’t just then forget about it. You must have:

  • A formal process to reassess risk on a specified basis, as well as
  • A process to perform an updated analysis when new substantial risks are identified due to a major change in your environment.
    • Examples of such new areas of risk include new technologies introduced or new business operations that are implemented.

We’ve seen the OCR issue multiple fines to organizations that failed to incorporate new risks into their risk program, making it clear that these aforementioned processes are expected and necessary to comply with HIPAA.

Ideally, you should do an annual reassessment, but your best case scenario would be making an integrated risk analysis and management process part of your new technology or business operations planning.

Avoid Non-Compliance with HIPAA Risk Analysis/Risk Management Requirements

Aside from these tips and different guidance, there’s another way you can help yourself avoid non-compliance with HIPAA risk requirements—you can undergo Schellman’s HIPAA Express assessment.

Designed specifically for healthcare providers and systems, this new service offering of ours addresses HIPAA risk analysis and management specifically to help organizations avoid falling victim to the OCR’s particular emphasis on these requirements. Because it is specifically focused, it’s a scaled-down assessment, which means less burden on your budget and a shortened timeline.

And you receive a report that will help demonstrate your due diligence in this highly important area of HIPAA compliance, with information on your security and risk profile, which could really help in the event of an OCR investigation. To learn more about how this service can serve you, please contact us.

Next Steps for HIPAA Compliance

The importance of these HIPAA risk analysis/risk management requirements cannot be overstated. It’s very easy to fall into common shortcomings when establishing compliance, and so you should prioritize these risk requirements—not just so you preserve your compliance with HIPAA, but also possibly avoid being fined for a breach.

But now you have some extra information that will help inform your approach including a brand new assessment option, should you so choose. As you consider the guidance tools out there and begin to strengthen your reassessment protocols, read our other articles that can both help you avoid violations and provide an incentive to do so:

About DOUG KANNEY

Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.