Security Risk Analysis

We exclusively use the process designed by the Office of the National Coordinator for Health Information Technology.

HIPAA §164.308 Administrative safeguards.

(a) A covered entity must, in accordance with §164.306:

(1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

Each Security Rule STANDARD is a requirement:  A covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits or maintains.

security with padlock

(ii) Implementation specifications:

(A) Risk analysis (Required)

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentialityintegrity, and availability of electronic protected health information held by the covered entity.

required Implementation Specification is similar to a standard, in that a covered entity must comply with it. For example, all covered entities including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.

THE SECURITY RISK ANALYSIS is one of the two most important assets you can possess in the event of an unauthorized disclosure of electronic Protected Health Information. The other is a HIPAA compliant POLICY AND PROCEDURE MANUAL.

Without the documentation provided in these two assets, how can you prove the steps you’ve taken to protect patient records and mitigate future violations if something like this should happen?

"Remember, security risk analysis and mitigation is an ongoing responsibility for your practice. This should be part of your practice’s ongoing activities and a full security risk analysis should be conducted at least once a year."

(Page 36 - Guide to Privacy and Security of Health Information Version 1.1 022312
Office of the National Coordinator for Health Information Technology)
Single or Multiple Offices