Raising the Bar for HIPAA Risk Analysis and Risk Management

Introduction

As my readers know, I have an affinity for risk analysis and risk management, which I often pose in the form of this question: How will you make informed, intelligent decisions about what safeguards you should invest in and implement until you understand your unique exposures? I’ve written about how most organizations throw money away because they’re playing cybersecurity whack-a-mole. See Board Members – Stop Wasting Investors’ Money on Cybersecurity!

Furthermore, I summarize the three root causes for our general cybersecurity mess as: 1) Risk Illiteracy, 2) Insufficient Accountability, and 3) Undervaluing Enterprise Cyber Risk Management. I addressed the failure of the HIPAA Security Rule to do enough to address these root causes in Comments on the Proposed HIPAA Security Rule Revisions.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule has long required covered entities and business associates to conduct risk analyses and implement risk management strategies to protect electronic Protected Health Information (ePHI). However, with the increasing frequency and sophistication of cyberattacks on the healthcare industry, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) has determined that these provisions require significant strengthening.

Combine the increase in attacks with the healthcare industry’s dismal performance in conducting risk analyses. In response, the Notice of Proposed Rulemaking (NPRM) released in December 2024 proposes major updates to risk analysis and risk management requirements. These include elevating these provisions to required standards, introducing stricter documentation, setting deadlines for risk mitigation, and aligning HIPAA requirements with modern cybersecurity frameworks such as those from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).

This article summarizes the key changes related to risk analysis and risk management in the NPRM and their implications for healthcare organizations.

Elevation of Risk Analysis to a Required Standard

Current Requirements

Previously, HIPAA required risk analysis as an implementation specification under the Security Rule’s Security Management Process Standard (45 CFR 164.308(a)(1)). This positioning meant that while risk analysis was required, its implementation details were mainly left to the discretion of covered entities.

Proposed Changes

The NPRM proposes elevating risk analysis from an implementation specification to a standalone standard (45 CFR 164.308(a)(2)(i)). This elevation means risk analysis will become a core, non-negotiable requirement, making enforcement more stringent.

Additionally, the NPRM introduces eight specific implementation specifications to clarify what constitutes a comprehensive and compliant risk analysis, including:

1. Technology Asset Inventory – Organizations must create and maintain a detailed inventory of all technology assets that store, process, or transmit ePHI.
2. Network Mapping – Regulated entities must map how ePHI moves through their systems to identify potential security gaps.
3. Threat and Vulnerability Identification – Entities must identify all reasonably anticipated threats and vulnerabilities that could compromise ePHI.
4. Risk Rating and Prioritization – Organizations must assess the likelihood and impact of identified threats exploiting vulnerabilities assigning risk levels.
5. Annual Reviews – You must update your risk analysis at least once a year or when significant technological or operational changes occur.
6. Documentation and Justification – Regulated entities must document the rationale behind risk determinations and mitigation decisions.
7. Adoption of Industry Standards – The risk analysis should align with recognized frameworks, such as NIST SP 800-30 and CISA’s Cybersecurity Performance Goals (CPGs).
8. Timely Updates – Organizations must promptly update risk analysis findings to reflect new vulnerabilities, system changes, or cyber threats.

Implications

These updates address common compliance failures observed by OCR, where many organizations either failed to conduct a thorough risk analysis or only did so sporadically. By requiring annual reviews and explicit documentation, OCR aims to ensure organizations maintain an active and dynamic cybersecurity posture.

Establishing a Formalized Risk Management Plan

Current Requirements

HIPAA currently requires organizations to have a risk management process, but the Security Rule does not specify detailed steps for implementing this process. Many covered entities struggle to prioritize risks, implement timely mitigations, and document risk management decisions.

Proposed Changes

Under the NPRM, risk management is elevated from an implementation specification to a required standard (45 CFR 164.308(a)(5)(i)).

The NPRM also introduces several new provisions:

1. Written Risk Management Plan – Organizations must establish a documented risk management plan outlining specific actions to mitigate identified risks.
2. Risk Prioritization – The plan must prioritize risks based on criticality, ensuring the most serious vulnerabilities are addressed first.
3. Timeliness Requirements –
   1. Critical risks (e.g., known exploited vulnerabilities) must be mitigated within 15 calendar days.
   2. High-risk threats must be addressed within 30 days.
   3. All other risks must be mitigated within a reasonable timeframe determined by the organization’s policies.
4. Annual Plan Review – Organizations must update their risk management plan annually to reflect new threats, vulnerabilities, and technological changes.

Implications

These provisions close a significant compliance gap by ensuring organizations act on identified risks promptly instead of delaying mitigation indefinitely. The explicit timelines for addressing vulnerabilities align HIPAA with other cybersecurity frameworks, such as CISA’s vulnerability management directives.

Compensating Controls for Unpatched Vulnerabilities

Proposed Changes

In cases where a patch, update, or security fix is not available or would cause operational issues, the NPRM requires organizations to:

1. Document the exception in real time, explaining why the patch cannot be applied.
2. Implement compensating controls, such as network segmentation, enhanced monitoring, or temporary system isolation.
3. Review and reassess exceptions periodically to determine when a patch can be safely deployed.

Implications

This proposed change addresses concerns that some entities fail to mitigate known vulnerabilities under the assumption that patching is optional. OCR’s new rule ensures every security risk is actively managed, even when direct patching is not feasible.

Increased Focus on Accountability and Compliance

OCR’s Rationale

The OCR has found widespread noncompliance with risk analysis and risk management requirements. In its 2016-2017 HIPAA audits, only:

• Only 14% of covered entities and 17% of business associates conducted a comprehensive risk analysis.
• 94% of covered entities and 88% of business associates failed to implement sufficient risk management practices.

Proposed Changes

To address these gaps, the NPRM emphasizes:

1. Mandatory documentation of risk decisions ensures organizations can justify their security choices.
2. Enforcement of risk management plans, holding organizations accountable for risk mitigation timelines.
3. Auditable compliance records require organizations to retain risk analysis and management documents for six years.

Implications

These changes shift HIPAA enforcement from a passive to an active model, ensuring organizations do not merely assess risk but take concrete steps to mitigate it.

Alignment with Industry Best Practices

The NPRM aligns HIPAA’s risk analysis and risk management provisions with:

1. NIST Special Publication 800-30, which outlines comprehensive risk assessment methodologies.
2. CISA’s Cybersecurity Performance Goals (CPGs) which provide industry-wide security benchmarks.
3. Executive Orders on Cybersecurity, which require the healthcare sector to meet baseline security standards.

Implications

This alignment ensures HIPAA-covered entities follow modern cybersecurity standards, strengthening overall healthcare cybersecurity resilience.

Conclusion

The proposed changes in the NPRM significantly strengthen HIPAA’s risk management framework. By making risk analysis and risk management required standards, enforcing timelines for mitigation, requiring annual updates, and demanding more comprehensive documentation, OCR aims to enhance cybersecurity protections for ePHI and reduce the growing threat of ransomware, data breaches, and other cyberattacks in healthcare.

Covered entities and business associates should prepare now by reviewing their risk analysis and risk management processes, documenting their cybersecurity practices, and ensuring compliance with the new standards before the final rule takes effect.

In addition to the content and recommended actions in this article, to learn more, you may wish to pick up a copy of Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage or Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).

#riskmanagement #CISO #ECRM #enterprisecyberriskmanagement #cyberriskmanagement #cyberriskilliteracy #cyberopportunitymanagement #cybersecurityvalue #boardcyberoversight #boardofdirectors