HIPAA Risk Assessment vs. Risk Analysis

Healthcare law of The Health Insurance Portability and Accountability Act (HIPAA) is astronomically dense and full of confusion. In point of fact, one of the most befuddling aspects of HIPAA is the difference between HIPAA risk analysis and HIPAA risk assessment. In order to be a truly adept healthcare professional you must under the subtlety between the two principles. On a more pragmatic note, understanding the two principles are tantamount in surviving the second phase of the Office of Civil Rights’ HIPAA audit.

HIPAA risk analysis and risk assessment are concepts that may seem to be identica. This is largely in part due to the synonymous nature of the words assessment and analysis. Yet while the words may be closely aligned they must remain sharply different for healthcare professionals.

While the two words may be similar they are contrary in application.  HIPAA dictates that not only risk analysis to be performed but risk assessment as well. This is outlined clearly under its Security Rule. A comprehensive level HIPAA compliance training can help to understand the difference between both.

HIPAA risk analysis is used to secure electronic protected health information. To be in depth HIPAA states in 164.308(a) (1) (ii) (A), according to which a covered entity and/or business associate shall "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information" that they might hold.

Therefore, risk analysis is an imperative for covered entities who are required by law to be in compliance with HIPAA. The goal of this is in ensuring organizations to be in compliance with risk analysis. In doing so, it aids them in their investigations into all waste, fraud and abuse, as well as flaws or errors in their electronic protected health information. Risk analysis is effectively at the epicenter of HIPAA security rules and is, for lack of a better analogy, the quintessential aspect of HIPAA compliance.

Turning over to risk assessment. Risk assessment is located in HIPAA under what is defined as "breach" in the breach notification rule. This is a process which all healthcare institutions have to exercise in an evaluation of whether or not there is a low likelihood of compromised electronic protected health information. This in turn will help the institution decide whether breach notification requirements need to be executed.

The breach notification rule lists at least four criteria for requiring risk assessment. Among which are the type and reach of electronic protected health information, the identity of the person who accessed the electronic protected health information in an unauthorized manner, whether the electronic protected health information was actually removed from its place physically and/or viewed, and the level of mitigation of the risk to the electronic protected health information.

Ultimately, the best understanding of risk analysis and risk assessment is as such—they are applied differently, but are both mandated by the HIPAA security and privacy rules as well as breach notification rules—let alone remaining compliant during a HIPAA audit. The best way to approach this is to ensure that all employees that are involved in compliance take the Certified HIPAA Privacy Security Expert certification. This HIPAA compliance training will ensure that team understands all requirements under the regulation and take necessary steps to make company complaint.