HIPAA consulting vendors often misinterpret a key compliance requirement

The Office of Civil Rights (OCR), the enforcement arm for HIPAA compliance, clarified a critical distinction between risk-assessment types in its April 2018 Cybersecurity Newsletter, “Risk Analyses vs. Gap Analyses – What is the difference?”

This is important to note because it signals the OCR’s awareness of a glaring disconnect regarding the risk analysis requirement among providers, HIPAA consulting services and throughout the health care industry as a whole.

All too often, consultants and software vendors promote a “risk assessment” as part of their services in lieu of a bona fide “risk analysis.” The two terms sound similar; however, they are entirely different entities. A risk analysis is not only required, it is paramount to your HIPAA compliance efforts, while a risk assessment is merely a “gap analysis” and not a requirement at all. Furthermore, performing a risk assessment alone might create a negative legal ramification in the event you face an audit.

Confusion persists because the term “assessment” is used on many occasions in the context of both a risk assessment and risk analysis throughout HIPAA literature. To make matters worse, HealthIT.gov has a free Security Risk Assessment Tool available for download and people incorrectly assume using the tool constitutes a risk analysis because it was created by a government entity.

In fact, software vendors regularly duplicate the free tool, add bells and whistles to it, and then sell their product as if it includes a risk analysis feature—when the actual feature is a risk assessment.

In an attempt to bring clarity, the OCR’s recent Cybersecurity Newsletter uses the following language to define Risk Analysis and risk assessment.

Risk analysis

A comprehensive evaluation of a covered entity or business associate’s enterprise to identify electronic protected health information (ePHI) and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level.

Risk assessment (aka. gap analysis)

A narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the HIPAA Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis.

The law firm of McDermott Will & Emery published a fantastic Report titled The Continuing Disconnect between the Health Care Industry and OCR on HIPAA’s Risk Analysis Requirement. Within the Report you will find recent OCR audit results, what the OCR considers to be complaint Risk Analysis, and what is clearly not considered to be compliant. The full Report can be found at https://www.jdsupra.com/legalnews/on-the-subject-the-continuing-22726/.

Your next step is to immediately ask your HIPAA consultant or software vendor to provide proof you are compliant with the Risk Analysis requirement. If you discover a risk assessment (gap analysis) is what you have been doing instead, ask for help in completing a bonafide Risk

Analysis or find another vendor who can. It is apparent HIPAA compliance is a buyer beware market. Since you are the buyer and you must be aware.

Jeff Brown, DC, is obsessed with creating time-saving HIPAA compliance software. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies. He is a co-founder of HIPAAmate—compliance software designed and priced for small practices—and can be contacted at 614-706-2066, hipaamate@gmail.com, or through hipaamate.com.