The U.S. Department of Health and Human Services ("HHS") has issued draft guidance on HIPAA Security Standards as it pertains to risk analysis.  The aim is to assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to security electronic protected health information (also known as "ePHI").

While the draft guidance is not intended to be a blueprint per se, but rather it clarifies expectations for organizations in meeting the HIPAA Security Rule requirement of risk analysis.

By way of background, the Security Rule requires entities to evaluate risks and vulnerabilities in their information system environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.  Risk analysis, which is required by the Security Rule, is a first step in the process.  Risk analysis is a necessary tool for reaching substantial compliance with standards and implementation specifications of the Security Rule. 

The Security Rule describes two sets of implementation specifications: required and addressable.  Addressable implementation specifications are not optional, but, rather if — after conducting the risk analysis — the organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so.

The draft guidance lays out the elements of the risk analysis and also defines certain terms not expressly defined in the Security Rule such as "vulnerability", "threat", and "risk."

The draft guidance also provides pointers to resources developed by several federal and non-federal organizations which may be helpful for organizations developing and implementing risk analysis and risk management strategies.

Finally, the draft guidance expressly provides that it is not to be interpreted inconsistently with the Security Rule, but rather merely provides clarification to those seeking to understand the risk analysis requirement.

URL for draft guidance on risk analysis: