Covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the them.
- Ensure compliance with the HIPAA Security Rule (initial requirement and Meaningful Use)
- Demonstrate ongoing commitment to reducing risks of ePHI exposure
- Avoid compliance penalties and fines
- Reduce threats to systems and ePHI exposure
- Increase confidence in the safety of ePHI
- Identify potential ePHI exposures
- Identify potentially vulnerable systems and data
- Find areas where training may need improvement
- Ensure appropriate controls are in place to protect ePHI
- Provide recommendations to remediate risks
The HIPAA Security Rule requires identification and implementation of a framework to protect patients’ privacy and to make sure medical information is secure.
Conducting a risk analysis or Risk Assessment is the first step required by the HIPAA Security Rule to identify and implement safeguards that assure compliance As part of the Risk Assessment you are required o “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a covered entity.” This Risk Assessment must include nine essential elements as identified by the Office of Civil Rights (OCR), the enforcement arm for HIPAA.
Guidance by the OCR notes that the risk analysis/assessment process should be ongoing. The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process and the frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.
Conducting or reviewing a security risk analysis/assessment to meet the standards of the (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. Eligible professionals must conduct or review a security risk analysis/assessment for each EHR reporting period to ensure the privacy and security of their patients’ protected health information.