Overview:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Action Items:
1) Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated.
2) Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all EPHI has been conducted. Evaluate and determine whether the risk analysis or other documentation contains:
1) A defined scope that identifies all of its systems that create, transmit, maintain, or transmit EPHI
2) Details of identified threats and vulnerabilities
3) Assessment of current security measures
4) Impact and likelihood analysis
5) Risk rating
3) Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any. Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
Related Documents:
1) Risk analysis policies and procedures
2) Written risk analysis or other records that document that an accurate and thorough assessment of the risks and vulnerabilities of all ePHI has been conducted.
3) Documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any.
Additional Guidance:
In general, a risk analysis can be viewed as:
1) The process of identifying potential security risks, and
2) Determining the probability of occurrence and magnitude of risks.
Sample questions for covered entities to consider:
- How does EPHI flow throughout the organization? This includes EPHI that is created, received, maintained or transmitted by the covered entity.
- What are the less obvious sources of EPHI? Has the organization considered portable devices like PDAs?
- What are the external sources of EPHI? For example, do vendors or consultants create, receive, maintain or transmit EPHI?
- What are the human, natural, and environmental threats to information systems that contain EPHI?
Article ID: 434
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-risk-analysis-164-308-a-1-ii-a-434.html