The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.
The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHS' Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.
Risk analysis is an ongoing process to help organizations figure out the risks to the confidentiality, integrity and availability of protected health information. Once it is gauged, organizations can put in place practices, for instance, to identify what data should be authenticated in particular situations, to decide when and how to use data encryption and to improve employee screening processes to reduce risk.
A risk analysis is also the basis for an understanding by organizations of the technologies they will need to secure protected health information, OCR said in the draft guidance May 7.
The guidance is not intended as a one-size-fits-all blueprint for compliance with the risk analysis requirement, but "to clarify the expectations of the department for organizations working to meet these requirements," OCR said.
Among the basic elements of a risk analysis, OCR said, organizations must identify data collections, document threats to information that could create a potential for inappropriate disclosure and assess current security measures the organization uses to protect patient information.
More information about risk analysis is online here.
