Problem solve Get help with specific problems with your technologies, process and projects.

Interpreting rules for a HIPAA security risk analysis

Allen Zuk reviews how solution providers can conduct a risk analysis that will help customers acquire grant funding for electronic medical records (EMR) technology.

Amid increased pressure to transition to electronic medical records (EMR), health care providers -- including hospitals, clinics and private practices -- find themselves seeking financial support to help offset the significant cost of implementing EMR technology. To acquire EMR-related incentive and grant funding, health care customers must prove they are compliant with associated HIPAA rules.

In this tip, we'll briefly look at HIPAA rule 45 CFR 164.308(a)(1), a rule focused on risk analysis and management. By providing guidance with the regulation and assisting or conducting a HIPAA security risk analysis, VARs can enhance their HIPAA-related security services and find ways to help clients develop a business case and, in turn, receive funding.

More resources on HIPAA

Allen Zuk explains how to address HIPAA data encryption security challenges.

David Mortman explains how to turn HIPAA revisions into customer opportunities.

What is HIPAA Rule 45 CFR 164.308(a)(1)?
The rule became an extension to the HIPAA program from another mandate, the HITECH Act. The Health Information Technology for Economic and Clinical Health Act (HITECH) is part of the American Recovery and Reinvestment Act of 2009 (ARRA). The ARRA contains incentives related to health care information technology, with specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers to foster conversion of paper or hard copy documents to electronic medical records (EMR).

45 CFR 164.308(a)(1) is made up of the following components:

  • 164.308(a)(1)(i) -- Security Management Process
  • 164.308(a)(1)(ii)(A) -- Risk Analysis
  • 164.308(a)(1)(ii)(B) -- Risk Management
  • 164.308(a)(1)(ii)(C) -- Sanction Policy (enforcement)
  • 164.308(a)(1)(ii)(D) -- Information System Activity Review

Of particular note is 164.308(a)(1)(ii)(A) -- Risk Analysis -- referencing the need for health care providers to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity. So what does that mean?

How solution providers can help health care providers meet HIPAA 45 CFR 164.308(a)(1)
VARs should readily step up to the challenge by providing health care providers with a comprehensive capability statement highlighting their experiences with security risk assessments. VARs also need to be completely conversant with the NIST guidelines, especially, SP 800-30, 800-37, 800-53 and 800-66. These documents from the federal technology agency provide standards and frameworks for conducting a security risk analysis. The following are brief explanations of the NIST guidelines:

NIST SP 800-30 (Risk Management Guide -- Information Security): Provides risk management guidance for implementing security controls.
NIST SP 800-37 (Applying Risk Management Framework - Information Security): Provides guidance for implementing a comprehensive risk management framework for measuring and monitoring the effectiveness of security controls that have been implemented.
NIST SP 800-53 (Recommended Security Controls -- Information Systems): Provides security control guidelines and recommendations for implementing information security controls.
NIST SP 800-66 (HIPAA Security Rule -- Information Security): Provides introductory information and guidance for HIPAA information security rules and requirements.

By leveraging the guidelines referenced above, clients and VARs can work together to prepare, plan, outline and conduct a security risk assessment, document the information collected, analyze the identified threats and develop a mitigation strategy.

There are fundamental components of any assessment: understanding what controls are currently in effect, determining the impact of likely events from viruses to natural disasters, and documenting exposures and vulnerabilities, not only in systems but also in processes. The assessment work program should be made up of questions that warrant a yes or no response with an explanation for the response. These questions should be considered in regard to the controls that are implemented to safeguard the systems and information, and the physical facility and surrounding environment(s) as well.

Customer challenges
Utilizing in-house resources: Because the current economic climate has forced many organizations to reduce headcount to reduce expenditures, remaining staff is often asked or even required to assume the responsibilities and tasks of those let go. Organizations will most likely struggle to find internal resources with the required skills and availability to conduct the assessments. VARs who remain in touch with their clients and are aware of their reduced headcount should offer to provide staff augmentation services to support these initiatives.

Applying an objective approach to the assessment: Effective risk management begins with adopting an objective approach to self-examination. It is often difficult for an organization to look into itself and call out areas of deficiencies, let alone acknowledge that there may be problems present. This is not to say that developing an objective approach cannot be accomplished. For example, subscribe to industry forums and support groups, attend seminars and conferences to learn about trends and mistakes of others, develop a self-assessment work program or checklist (many examples and sample templates can be found by searching the Internet), involve the support of internal audit (IA) to conduct the assessments and establish a program that involves the user of external third parties for periodic reviews. It is important to remember that there is always room for improvement, and asking for assistance is a simple step in the right direction. VARs can play an important if not pivotal role as a trusted advisor and act as the external third-party vendor to facilitate the assessment.

Deciphering the rules requirements: The ambiguous wording of HIPAA security risk analysis rules makes it unclear exactly how to satisfy the requirement. Organizations may not necessarily have the technical expertise on hand to decipher the requirements, and they may inadvertently embark on a different and incorrect path or approach. VARs who are knowledgeable of the HIPAA rules and associated guidelines from NIST should work with their clients to decipher the regulation guidelines. It's important to identify industry guidelines available to evaluate the requirements and work with clients to create a work program for conducting the risk assessments.

Knowing when to ask for assistance and guidance: Current economic conditions have forced more organizations to look closer at their bottom line, identify any areas of unnecessary spending, and either reduce or eliminate those areas. With fewer resources and more work, organizations will struggle to find a budget for external assistance. VARs should meet with their clients on a frequent and periodic basis to anticipate when they can offer their services and help nudge their clients to ask for assistance.

VARs should spend time with their clients to update a risk management framework, coupled with a "best practices" assessment work program and a detailed mitigation project plan highlighting baseline evaluation and "milestone" checkpoints for completion. The framework will demonstrate commitment to the initiative and provide a substantive business case for acquiring incentive funding. Targeted focus should include:

  • Documented risk management framework and approach.
  • Documented project plan for facilitating the analysis.
  • Documented work program for conducting security controls assessments.
  • Documented level of effort and commitment to achieving compliance.
  • Documented business case for demonstrating ability to meet the requirements and implement a sustainable framework and risk mitigation/validation program.

About the author:
Allen Zuk is the President and CEO of Sierra Management Consulting, LLC, an independent IT Management Consulting services firm specializing in developing IT Risk Management (ITRM) Frameworks, ITRM Strategies and Plans, IT Governance and Compliance Programs, and Business Continuity and Disaster Recovery Management Programs and Plans and Information Security and Facility Threat and Risk assessments.

Send your comments on this tip to

Get your news and tips via our RSS feed.

 Join us on LinkedIn

Dig Deeper on MSPs and cybersecurity

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.