Risk Analysis is usually regarded as step one towards HIPAA compliance. Risk analysis is a mandatory implementation specification under the Security Management Process standard of the Administrative Safeguards portion of the HIPAA Security Rule as per Section 164.308 (a) (1). All Healthcare organizations will reap the benefits of an effective Risk Analysis and Risk Management program beyond just being HIPAA compliant. Compliance with HIPAA is not optional… it is mandatory, to keep off penalties.
HIPAA Risk Analysis Objectives
The overall target of a HIPAA risk analysis is to document the possible risks and exposures to the confidentiality, integrity, or availability of electronic protected health information (ePHI) and ascertain the appropriate safeguards to bring the level of risk to a manageable level. This ensures that controls and expenditures are fully consistent with the risks to which the entity is exposed.
Scope of HIPAA Risk Analysis
HIPAA Risk Analysis covers conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an organization’s electronic Protected Health Information (EPHI). Needless to say, it involves all electronic gadgets used in your company to compile, retrieve, maintain or transmit ePHI – viz. portable devices, PCs, and networks. This assessment identifies the gaps in compliance with the HIPAA Security Rule and recommends possible remediation measures.
The company’s security strategy must support and be aligned with the core goals of the HIPAA Security Rule.
- Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes.
- Integrity is the property that data or information has not been altered or destroyed in an unauthorized manner.
- Availability is the property that data or information is accessible and usable upon demand by an authorized person.
After completing HIPAA Risk Analysis, the company can have Significant Remediation Recommendations like:
- Develop, approve, implement, and maintain a comprehensive and integrated set of HIPAA Security Rule compliant policies to meet the regulations. Integrate procedures to implement the policies.
- Build complete documentation of the network, systems, applications, data communications, and topology. Identify and document all uses of modems or other external connectivity
- Develop policies, procedures, and methods for securing perimeter network devices in remote wiring closets.
And many more based on the finding.
List of documents in HIPAA Security Risk Analysis Template revised for HITECH Omnibus Rule
- Asset Inventory Worksheet
- Detailed HIPAA Security Risk Analysis Executive Report
- Risk Analysis Checklist
- Risk Analysis Template
- Risk Assessment Executive Presentation
- HIPAA Security Risk Assessment Scorecard
- Overview spreadsheet
- Administrative safeguard spreadsheet
- Technical safeguard spreadsheet
- Physical safeguard spreadsheet
- Organizational safeguard spreadsheet
- Sample Privacy & Security Risk Analysis Executive Report 2013-Short Version
- Threat Matrix Worksheet
Total Cost: $495
If your company needs multiple entity licenses or templates, we may be able to give you discounted pricing. For information on this, please get in touch with Bob Mehta at Bob@supremusgroup.com or (515) 865-4591.
Let us help you in completing your HIPAA compliance with an audit.