We exclusively use the process designed by the Office of the National Coordinator for Health Information Technology.
Each Security Rule STANDARD is a requirement: A covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits or maintains.
(ii) Implementation specifications:
(A) Risk analysis (Required)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
A required Implementation Specification is similar to a standard, in that a covered entity must comply with it. For example, all covered entities including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.
THE SECURITY RISK ANALYSIS is one of the two most important assets you can possess in the event of an unauthorized disclosure of electronic Protected Health Information. The other is a HIPAA compliant POLICY AND PROCEDURE MANUAL.
Without the documentation provided in these two assets, how can you prove the steps you’ve taken to protect patient records and mitigate future violations if something like this should happen?
"Remember, security risk analysis and mitigation is an ongoing responsibility for your practice. This should be part of your practice’s ongoing activities and a full security risk analysis should be conducted at least once a year."
Office of the National Coordinator for Health Information Technology)