Alleviating pain | Increasing your profits | Protecting your practice

9 Key Items of the HIPAA Security Rule Risk Analysis

9 Key Items of the HIPAA Security Rule Risk Analysis

One of the first requirements under the HIPAA Security Rule is that organizations and medical practices in Wisconsin must conduct a security risk analysis. Covered entities must conduct a thorough and accurate assessment of the potential vulnerabilities and risks to the integrity, availability, and confidentiality of their electronic protected health information (ePHI).

The Office for Civil Rights (OCR) necessitates that the risk analysis must contain the following items:

  1. Scope of the Analysis
    The scope must include the risks to the integrity, availability, and confidentiality of all ePHI within the organization.
  2. Data Collection
    In addition to the scope, an organization must determine where ePHI is created, stored, received, and transmitted. This must be documented.
  3. Identify and Document Potential Vulnerabilities and Threats
    The security risk analysis must show that the organization can identify and document possible threats to its ePHI.
  4. Evaluate Current Security Measures
    Organizations should evaluate and document security measures used to safeguard its ePHI (i.e. processes and procedures).
  5. Determine the Probability of Threat Occurrence
    The security risk analysis must address the probability of the threat or risk to ePHI.
  6. Determine the Probable Effect of Threat Occurrence
    Along with the probability of the threat, the Security Rule also requires for the consequences or impact of the potential risk to the ePHI to be reviewed.
  7. Determine the Risk Level
    Organizations must include the risk level in their security risk analysis. This should include the assigned risk levels and a list of corrective actions to address each risk.
  8. Finalize Documentation
    While the Security Rule requires the risk analysis to be documented, it does not specify a format.
  9. Regular Reviews and Updates to the Risk Assessment
    The security risk analysis must be ongoing. While the Security Rule does not specify how frequently it should be done, annual risk assessment is recommended.

Organizations should work with a trusted advisor who can help determine and establish an effective risk analysis program. Contact Acuity Revenue Consulting, your trusted provider of medical consulting in Mequon, Wisconsin, if you have any inquiries or want to discuss your risk analysis options.

This entry was posted in HIPAA Security Rule and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *