The question is asked of HIPAA subject matter experts with an almost maddening frequency: “How often do I need to conduct a HIPAA Security Risk Analysis (SRA)?” In 2010, the Department of Health and Human Services’ Office for Civil Rights issued guidance on the topic. The guidance did not spell out how often the analysis is to be performed.

HIPAA SRA Requirements

Yet, the guidance pointed toward an answer by noting several Security Rule requirements. Requirement 1: Entities are obligated to continuously provide reasonable and appropriate protection of electronic protected health information (ePHI). Requirement 2: When there are changes that affect the security of ePHI, the entity must modify security measures to meet this obligation. It must also update documentation of the modified measures.

Do you need to protect ePHI by changing and documenting security measures? Left unanswered: How do you identify when security updates are necessary in the first place? Are you supposed to have some SRA Spidey Sixth Sense? Of course not. Per the guidance and common sense, an organization identifies when security updates are needed by conducting continuous risk analysis. “Continuous” does not mean a specific frequency. It does not mean “yearly,” or “every other year,” or “three times a month.” What does it mean? Recent 2022 HIPAA SRA requirements guidance goes over what is meant by “continuous.” This guidance also describes why risk analyses must be performed on a continuous basis. The HIPAA SRA requirements guidance is discussed in further detail below.

HIPAA SRA Requirements: A Continuous Need

Imagine that you are trying to convince a reluctant someone – an employer, a colleague, a healthcare practitioner – that a security risk analysis must be performed on a continuous basis.

Their opening comment might be something along the lines of, “Well, I’ve read the Security Rule. Yeah, there is a part on risk analysis. The Rule says, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” I don’t see anything about having to conduct one every year or more. Where are you getting this “continuous” nonsense? And beyond that, what does “continuous” even mean?”

Fortunately for you, the cavalry has arrived, for you are now armed with the 2010 guidance AND the 2022 HIPAA SRA requirements guidance.

The 2010 guidance instructs, “The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed.”

You inform your HIPAA inquisitor of this fact. That person then volleys, “Well, about that guidance you cited… In the next sentence, the guidance states, “The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process.” “Nice try, though.”

You remain unbowed. “Yes, but the next paragraph states, and I am paraphrasing here, “A truly integrated risk analysis and management process should be performed as new technologies and business operations are planned, thereby reducing the effort required to address risks you identify after implementation. For example, if you’ve experienced a security incident, had a change of ownership, or have had key staff turnover, you should analyze the potential risk to ensure that ePHI remains reasonably and appropriately protected. How do you do this? By performing the risk analysis. Only by performing the risk analysis can you determine whether existing security measures are sufficient to protect against the risks associated with evolving threats or vulnerabilities, a changing business environment, the introduction of new technology, or if additional security measures are needed. And you have to perform the analysis continuously, or else…”

“You talk too much.” “And besides, what’s this “evolving threats” thing?”

“Glad you asked. And while we’re at it, the SRA should be performed continuously for a couple of other reasons, too.”

Let’s Simplify Compliance

Do you need help with your HIPAA SRA? We can help!

Learn More!