August 10, 2014

What is Risk Analysis (Section 19 of the HIPAA Security Rule)

HIPAA Risk Analysis

Risk Assessment otherwise called Risk Analysis is a Required part of the HIPAA Security Rule 164.308(a)(1). To ensure compliance, health care providers, medical offices (Covered Entity), business associates, or any other entity that receives, transforms, or stores Electronic Protected Health Records (ePHI)  are required to perform a Risk Analysis at least once a year or when major changes in operations or systems occur.

So What is Risk Analysis:

Risk analysis is the first step to a thorough Security Management Process to ensure the Confidentiality, Integrity, and Availability of your (ePHI). Risk Analysis is an evaluation that helps you identify three main vulnerabilities:

  • If someone can compromise the confidentiality of your ePHI
  • If someone might inappropriately change or delete your ePHI.
  • If your ePHI might not be available when it is needed.

A good Risk Analysis Will:

  • Identify the relevant assets.
  • Identify threats and vulnerabilities.
  • Assess existing security/control measures (Administrative, Physical, Technical safeguards).
  • Determine the likelihood for the identified threats to occur.
  • Determine and document the impact of threats on your ePHI (Confidentiality, Integrity, Availability).
  • Categorize the likelihood of threats and vulnerability vs the impact of such threats as medium high or low using a matrix.
  • Document Risk Levels (Low, Medium, High)
  • Document a list of corrective actions.
  • Review and update security measures regularly.

In plain English a Risk Analysis will identify the levels of threats and vulnerabilities, determine what is the cost to prevent them vs. the impact if you don’t, and list actions needs to be taken to do so.

Conducting a risk analysis is a collaborative process that will involve many aspects of your medical practice including conducting interviews, reviewing your polices and procedures, and performing intrusion detection tests on your computer networks.  It is also a required measure to comply with Meaningful Use if to receive medicare and medicaid incentives .

If you have not conducted a Risk Analysis for your medical practice yet it is time to do so.

Leave a Reply

Your email address will not be published. Required fields are marked *