Why Risk Analysis is Required

Risk analysis is the foundation of HIPAA Security Rule compliance. The regulation at §164.308(a)(1)(ii)(A) requires covered entities and business associates to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information."

Key Point

Risk analysis failures are among the most common findings in OCR investigations and audits. Many organizations either don't perform risk analysis at all, or perform inadequate analyses that fail to meet regulatory requirements.

What Risk Analysis Enables

  • Identifies where ePHI is created, received, maintained, and transmitted
  • Identifies threats and vulnerabilities to ePHI
  • Assesses current security measures
  • Determines the likelihood and impact of threat occurrence
  • Determines risk levels
  • Drives risk management decisions

OCR Required Elements

HHS Office for Civil Rights (OCR) has provided guidance on the elements required in a HIPAA risk analysis:

The Nine Elements

  1. Scope: Include all ePHI, regardless of medium or location
  2. Data Collection: Identify where ePHI is stored, received, maintained, and transmitted
  3. Identify and Document Threats and Vulnerabilities: Identify reasonably anticipated threats and vulnerabilities
  4. Assess Current Security Measures: Assess current security measures used to safeguard ePHI
  5. Determine Likelihood of Threat Occurrence: Estimate probability that each threat will occur
  6. Determine Impact of Threat Occurrence: Estimate impact if threat successfully exploits vulnerability
  7. Determine Risk Level: Assign risk levels based on likelihood and impact
  8. Finalize Documentation: Document the risk analysis, including methodology and findings
  9. Periodic Review and Updates: Review and update as needed (technology changes, incidents, operational changes)

Risk Analysis Methodology

HIPAA doesn't mandate a specific methodology, but your approach must be "accurate and thorough." Common approaches include:

Qualitative Approach

Uses descriptive categories (High/Medium/Low) for likelihood and impact. Most common for HIPAA compliance.

  • Easier to understand and communicate
  • Requires less data
  • Sufficient for most organizations

Quantitative Approach

Uses numerical values and formulas. More complex but provides financial context.

  • Provides dollar estimates
  • Requires more data and expertise
  • Often combined with qualitative elements

Recommended Scales

Likelihood Description
High Threat source is highly motivated and capable; controls ineffective
Medium Threat source motivated and capable; controls may impede
Low Threat source lacks motivation or capability; controls prevent exercise
Impact Description
High Major breach of ePHI; significant regulatory/financial/reputational damage
Medium Moderate loss or disclosure; some damage but recoverable
Low Minor loss or exposure; minimal or no real damage

Step-by-Step Risk Analysis Process

Step 1
Define Scope and Boundaries
  • Document all systems that create, receive, maintain, or transmit ePHI
  • Include all physical locations
  • Include all workforce members with ePHI access
  • Include all technologies (workstations, servers, mobile devices, cloud services)
  • Include business associates and subcontractors
Step 2
Identify ePHI Assets and Data Flows
  • Create an inventory of systems containing ePHI
  • Map data flows (how ePHI moves through your environment)
  • Document data at rest locations (databases, file servers, backups)
  • Document data in transit paths (internal networks, internet, email)
  • Identify all access points to ePHI
Step 3
Identify Threats
  • Natural threats: Floods, earthquakes, fires, severe weather
  • Human threats (intentional): Hackers, malicious insiders, social engineering
  • Human threats (unintentional): Employee errors, misconfiguration, lost devices
  • Environmental threats: Power failures, HVAC failures
  • Technical threats: System failures, software bugs, malware
Step 4
Identify Vulnerabilities
  • Technical vulnerabilities (unpatched systems, weak configurations)
  • Administrative vulnerabilities (lack of policies, insufficient training)
  • Physical vulnerabilities (inadequate access controls, unsecured areas)
  • Use vulnerability scans, penetration tests, and interviews
  • Review previous audit findings and incident reports
Step 5
Assess Current Security Measures
  • Document existing controls for each safeguard area
  • Evaluate control effectiveness
  • Identify gaps against Security Rule requirements
  • Consider technical, administrative, and physical controls
Step 6
Determine Likelihood and Impact
  • For each threat-vulnerability pair, estimate likelihood of occurrence
  • Consider existing controls when assessing likelihood
  • Estimate impact to confidentiality, integrity, and availability
  • Consider individuals affected, regulatory consequences, financial impact
Step 7
Calculate Risk Level

Risk = Likelihood × Impact

Low Impact Medium Impact High Impact
High Likelihood Medium High Critical
Medium Likelihood Low Medium High
Low Likelihood Low Low Medium
Step 8
Document and Report
  • Document methodology used
  • Document all findings and risk ratings
  • Prioritize risks for treatment
  • Present to leadership for risk management decisions

Evidence Requirements

Your risk analysis must be documented and retained for 6 years. Evidence should include:

Process Evidence

  • Risk analysis methodology document
  • Scope definition
  • Interview notes and questionnaire responses
  • Vulnerability scan results
  • Network diagrams and data flow diagrams

Output Evidence

  • ePHI asset inventory
  • Threat catalog
  • Vulnerability list
  • Current controls assessment
  • Risk register with ratings
  • Risk analysis report

Ongoing Evidence

  • Review dates and outcomes
  • Update records when changes occur
  • Link to risk management/treatment decisions

Output Documentation

Your risk analysis output should be comprehensive and actionable.

Risk Analysis Report Should Include

  1. Executive Summary: High-level findings and critical risks
  2. Scope and Methodology: What was assessed and how
  3. ePHI Environment: Systems, data flows, access points
  4. Threat Assessment: Identified threats and relevance
  5. Vulnerability Assessment: Identified weaknesses
  6. Current Controls: Existing safeguards and effectiveness
  7. Risk Findings: Each risk with likelihood, impact, and rating
  8. Recommendations: Prioritized actions to address risks
  9. Appendices: Supporting documentation

Risk Register Format

Maintain a risk register tracking:

  • Risk ID
  • Risk description
  • Affected ePHI/systems
  • Threat source
  • Vulnerability
  • Existing controls
  • Likelihood (pre/post-control)
  • Impact
  • Risk level
  • Treatment decision
  • Treatment actions
  • Risk owner
  • Status

Common Risk Analysis Mistakes

1. Incomplete Scope

Problem: Missing systems, locations, or data flows

Solution: Start with comprehensive ePHI inventory; involve stakeholders across the organization

2. Using Generic Templates

Problem: Copying generic risks without considering your specific environment

Solution: Customize risk identification to your actual systems and operations

3. One-Time Exercise

Problem: Performing risk analysis once and never updating

Solution: Review annually at minimum; update when significant changes occur

4. No Documentation

Problem: Performing analysis but not documenting it

Solution: Document as you go; retain all evidence for 6 years

5. No Connection to Risk Management

Problem: Identifying risks but not treating them

Solution: Feed findings into risk management process; track treatment to completion

A good risk analysis isn't a paperwork exercise - it's a genuine assessment of what could go wrong with your ePHI and what you're doing about it. OCR investigators can tell the difference between checkbox compliance and a real security program.

HIPAA Risk Analysis Security Rule