HIPAA Security Standards: Guidance on Risk Analysis
The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the
provisions in the HIPAA Security Rule.1 (45 C.F.R. §§ 164.302 – 318.) This series of
guidances will assist organizations2 in identifying and implementing the most effective
and appropriate administrative, physical, and technical safeguards to secure electronic
protected health information (e-PHI). The guidance materials will be developed with
input from stakeholders and the public, and will be updated as appropriate.
We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).
Conducting a risk analysis is the first ...view middle of the document...
Therefore, non-federal organizations may find their content valuable
when developing and performing compliance activities.
All e-PHI created, received, maintained or transmitted by an organization is subject to the
Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in
their environments and to implement reasonable and appropriate security measures to
protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.
We understand that the Security Rule does not prescribe a specific risk analysis
methodology, recognizing that methods will vary dependent on the size, complexity, and
Section 13401(c) of the Health Information Technology for Economic and Clinical (HITECH) Act.
As used in this guidance the term “organizations” refers to covered entities and business associates. The
guidance will be updated following implementation of the final HITECH regulations.
The HIPAA Security Rule: Health Insurance Reform: Security Standards, February 20, 2003, 68 FR 8334.
The 800 Series of Special Publications (SP) are available on the Office for Civil Rights’ website –
specifically, SP 800-30 - Risk Management Guide for Information Technology Systems.
capabilities of the organization. Instead, the Rule identifies risk analysis as the
foundational element in the process of achieving compliance, and it establishes several
objectives that any methodology adopted must achieve.
Risk Analysis Requirements under the Security Rule
The Security Management Process standard in the Security Rule requires organizations to
“[i]mplement policies and procedures to prevent, detect, contain, and correct security
violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required
implementation specifications that provide instructions to implement the Security
Management Process standard. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information held by the [organization].
The following questions adapted from NIST Special Publication (SP) 800-665 are examples
organizations could consider as part of a risk analysis. These sample questions are not
prescriptive and merely identify issues an organization may wish to consider in implementing
the Security Rule:
Have you identified the e-PHI within your organization? This includes e-PHI that
you create, receive, maintain or transmit.
What are the external sources of e-PHI? For example, do vendors or consultants
create, receive, maintain or transmit e-PHI?
What are the human, natural, and environmental threats to information systems
that contain e-PHI?