What is a “risk analysis?”
Monday, May 17th, 2010Dear HIPAA-HITECH Informed Readers,
Here’s a question from our HIPAA-HITECH FAQs Series…
Q11. What is a “risk analysis?”
A fundamental design principle in the Security Rule was that “one size does not fit all”. That is, organizations needed to first understand the law, second assess their risks vis-à-vis the law and, third, take appropriate actions for their organization to mitigate their risks in order to comply with the law.
“Risk” is defined as the degree or likelihood that a certain threat or vulnerability will occur, resulting in a breach of safeguards designed to provide control or protection of patient health information. Risk is quantified by taking into account two factors involving (1) the likelihood and (2) the impact (criticality) of loss.
A “risk analysis” is a systematic and comprehensive assessment of all aspects of information including electronic conversion, processing, storage, or transmission that could potentially compromise the integrity of patient health information. Thus, the scope of a risk analysis should address all facets of the CEs and BAs computer hardware, software, and networks and associated electronic equipment and systems.
The initial risk analysis should alsoassess security policies and procedures and technical safeguards, to determine the extent to which they meet the standards contained in the Security Rule. Then CEs and BAs must perform ongoing risk analyses in response to environmental or operational changes.
Risk analysis findings should identify levels of risk and make recommendations to reduce these risks to a reasonable and appropriate level. These findings and their remedies should be documented and retained as a permanent component of the HIPAA Security Rule compliance program. This documentation should take the form of:
• Security Gap Analysis (depicting the difference between the current and the optimal levels of risk)
• Risk Remediation Plan (outlining the process for achieving the optimal levels of risk)
A CE or BA can choose to have a third party perform the risk analysis and thus provide an independent assessment of the organization’s security with respect to the HIPAA Security Standards.
View our entire series of HIPAA Security Law – HITECH Act FAQs…
Attend one of our HIPAA-HITECH Webinars…
bob.chaput@datamountain.com | (800) 704-3394 | Follow Bob on Twitter: twitter.com/BobChaput
What is a “standard” as defined by the Security Rule?
Monday, May 17th, 2010Dear HIPAA-HITECH Informed Readers,
Here’s a question from our HIPAA-HITECH FAQs Series…
Q9. What is a “standard” as defined by the Security Rule?
A standard is a provision of the Security Rule that all CEs and BAs must comply with, specifically with respect to EPHI. There are no exceptions. There are 18 standards defined in the Security Rule. With HITECH, the number of Standards has not changed; however, more explicit guidance and clarity is provided in many areas of the Security Rule and the Privacy Rule as well.
View our entire series of HIPAA Security Law – HITECH Act FAQs…
Attend one of our HIPAA-HITECH Webinars…
bob.chaput@datamountain.com | (800) 704-3394 | Follow Bob on Twitter: twitter.com/BobChaput
Twitter Updates
Blog Updates
Security Updates
Follow Us
