Technical Vulnerability Scan is a REQUIREMENT for HIPAA Security Risk Assessments and Meaningful Use Security Risk Analysis

After being asked on numerous occasions if technical vulnerability scans are required or if a checklist will suffice repeatedly by practices I felt it would be worthwhile to see if there is another way for me to say…”Yes, technical vulnerability scans are required and no a checklist will not suffice.”  I referred to 45CFR§164.308(a)(1)(ii)(A) and explained that this is a crucial piece that needs to be completed.

I decided I would go straight to the most definitive source on the topic.  Health and Human Services.  I sent them a simple email and waited for the response.  I have included it here for all that are interested:

Here is my email, straight to the point:

Subject: HIPAA Security Risk Assessment Requirements

To Whom it May Concern:

I am looking for some clarification regarding requirements for a HIPAA Security Risk Assessment as well as a Meaningful Use Security Risk Analysis as I am being asked by many potential clients:

Do both of these assessments require a vulnerability scan to be completed as part of the assessment?

Your response is appreciated.

Respectfully,

Randy

Randy Homa
Senior Vice President, Director of Healthcare Services
Security Compliance Associates
2727 Ulmerton Rd., Suite 310
Clearwater, FL 33762

Here is the Response:

FW: HIPAA Security Risk Assessment Requirements

OS OCR Privacy (HHS/OS)

The answer is yes.

A thorough risk assessment/analysis [(45CFR§164.308(a)(1)(ii)(A)] for the Security Rule includes a comprehensive assessment of the internal and external networks whether wired, wireless, or cloud-hosted.  In addition, the report must include a technical vulnerability assessment of all the IT assets, all electronic protected health information (ePHI),  and physical and environmental controls, and operational processes (policies and procedures)  of the underlying IT infrastructure across the enterprise.

With regards to the Meaningful Use compliance, a technical vulnerability as well  as assessments of the physical, environmental, and operational controls surrounding the electronic healthcare record system satisfy the requirements of Meaningful Use objectives.