For hospitals and other health care providers working to secure electronic protected health information (e-PHI), a comprehensive risk analysis is a critical first step. The draft guidance on risk analysis issued on May 7, 2010, by the Department of Health and Human Services’ Office for Civil Rights (OCR) offers a starting point to help hospitals and other providers identify and implement the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of e-PHI. The guidance provides helpful insight into the expectations of OCR, the agency responsible for enforcing the HIPAA Privacy and Security Rules.

The HIPAA Security Rule has always required health care providers, health plans, and other covered entities to conduct an accurate and thorough analysis of potential risks to the confidentiality, integrity, and availability of e-PHI, but it does not specify how to go about conducting an effective assessment. The risk analysis requirement has received heightened attention recently in the wake of stronger enforcement provisions included in the HITECH Act for violations of the HIPAA Privacy and Security Rules, as well as the inclusion of this security measure in the “meaningful use” rules under which eligible health care providers can qualify for the electronic health record incentives program adopted last year.

OCR’s draft guidance recommends that organizations include the following key steps in their risk analysis. Define the scope of the risk analysis.