HIPAA/HITECH Security Risk Analysis Myths and Facts

onr-HIPAA-HostingAs we continue to work with more health care providers, covered entities, and business associates we see confusion about HIPAA/HITECH compliance requirements. Some providers are even in denial. They believe they are being compliant by just having staff take short on-line "HIPAA" training courses.  But that falls well short of what is required to be compliant, and many of these on-line training courses are not up to date with current HIPAA regulations, nor do they cover cyber-security, which is now a must have.

The US Department of Health and Human Services published the Guide to Privacy and Security of Health Information, which contains a table of  Myths and Facts on page 11.  It's worth a read for any health care provider.  There are several good pieces of information, but there are three you should make note of and consider.


  1. Performing a Security Risk Analysis (SRA) is MANDATORY, every health care provider with ePHI must perform a SRA.  Often referred to as a Risk Assessment, but MUST have the security part performed.
  2. You may NOT use a simple checklist to perform your Security Risk Analysis (Risk Assessment).
    1. The NIST Standard Risk Assessment has over 560 questions.
    2. Third Rock has reduced this down to a manageable number of 110 questions, but we can still provide you a complete risk assessment and scoring basis.
  3. If you want your SRA to withstand an audit by the ONC you need a professional third party to perform the SRA for you.
    1. 3rd parties bring credibility to the process.


HIPAA/HITECH Requirements

What the Myths and Facts table doesn't make clear are all of the requirements in the HIPAA/HITECH law that a provider must complete to be compliant.  Third Rock created their comprehensive solution to address all of these requirements. Here's a simple list of those requirements.

  1. Complete Risk Assessment
    • NIST Compliant Questionnaire (550+ questions) tailored to your practice (90 questions) to save time.
    • Includes the mandatory Security Risk Analysis
    • Complete Risk Assessment score, report and remediation list
    • Should be performed by a professional third party.
  2. Complete network discovery and network scan for compliance issues
    • HIPAA requires ALL devices to be inventoried.
    • Detailed remediation list created for all non-compliant devices.
  3. Policies and Procedures
    • Documents for each PHI related policy, w/CFR references and step by step procedures for operations to implement the policy.
  4. Change Management
    • Registers to log all changes in operations, security and devices.
  5. Contingency plan
    • You need a plan to keep your business operating during and after disruptive actions (emergencies, disasters, etc).
  6. Email encryption with recipient verification
    • Encryption alone does NOT solve the problem alone -- you must know the correct person received the message.
    • Make sure the solution uses the DIRECT protocol.
  7. Continuous Network Vulnerability and Compliance monitoring
    • You need to prevent breaches and know when they occur.
    • Third party monitoring keeps your IT department honest.
  8. HIPAA training: New employees, Refresher, Security Officer
    • Specific job responsibility training is required.
    • Training must include implementation and enforcement of the policies and procedures.

Hopefully, this will help you get started on the right foot in the right direction.  If you have any questions please contact us at  info@thirdrock.com.

To learn more about Third Rock's Worry Free Compliance please visit our web site.

Robert Felps
About the Author

Innovative problem solver. Robert Felps takes a holistic view of the situation, understanding the business objectives, then architects a solution that exceeds the expectations for much less than standard industry solutions would cost.

  1. Doug M.
    Jul 15, 2015 at 13:14

    Great post and very true. We were shocked what we found when we went through a Risk Assessment last year.

%d bloggers like this: