There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis. First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems. These on-going efforts can help ensure adequate protection of patients’ health information.
Second, conducting a risk analysis has been required by HIPAA since issuance of the Security Rule. While many healthcare entities did not take this requirement seriously, the passage of the HITECH Act in 2009 increased penalties and enforcement under HIPAA. Based on enforcement data over the past few years, it is clear that the Office for Civil Rights (“OCR”), the arm of the U.S. Department of Health and Human Services (“HHS”) with enforcement authority under HIPAA, is taking this issue seriously by imposing severe civil monetary penalties on healthcare entities of all shapes and sizes. In short, OCR’s position is that failing to conduct a HIPAA risk analysis is unreasonable. The Office has issued guidance on conduct a risk analysis here.