Overview:
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec 164.206(a).
Action Items:
1) Obtain and review policies and procedure related to risk management. Evaluate and determine if the documents identify how risk will be managed, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and identify workforce members’ roles in the risk management process.
2) Obtain and review documentation demonstrating the security measures implemented and/or in the process of being implemented as a result of the risk analysis or assessment. Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.
Related Documents:
1) Policies and procedures related to risk management
2) Documentation demonstrating the security measures implemented and/or in the process of being implemented as a result of the risk analysis or assessment.
Additional Guidance:
Risk management is the process used to identify and implement security measures to reduce risk to a reasonable and appropriate level within the covered entity based on the covered entity’s circumstances. The measures implemented to comply with this required implementation specification must also allow the covered entity to comply with § 164.306(a) of the Security Standards: General Rules. Covered entities will want to answer some basic questions when planning their risk management process.
Sample questions for covered entities to consider:
- What security measures are already in place to protect EPHI (i.e., safeguards)?
- Is executive leadership and/or management involved in risk management and mitigation decisions?
- Are security processes being communicated throughout the organization?
- Does the covered entity need to engage other resources to assist in risk management?
In general, a covered entity will want to make sure its risk management strategy takes into account the characteristics of its environment including the factors at § 164.306(b)(2). These factors will help the covered entity to determine what potential security measures are reasonable and appropriate for its environment.
Article ID: 435
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-risk-management-164-308-a-1-ii-b-435.html