In a recent HIPAA Security Risk Analysis Tip post, we discussed Recommended Documentation to gather and maintain as part of your Risk Analysis process. Our recommendation is based on the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. One of the documentation items we strongly recommend is Planned Risk Analysis Completion Date (Indicate the month and year when that analysis will be completed for a specific information asset. Here’s today’s big tip – Demonstrate good faith effort early and often – make plan and commit to it! Learn the guidance; Here’s how…
A note about “Planned Risk Analysis Completion Date” is appropriate:
Use your Information Asset Inventory worksheet as a planning tool. That is, create a written schedule for conducting detailed risk analyses on each information asset or instance of ePHI. Based on completion of the Information Asset Inventory worksheet, you will likely have a strong sense as to which information assets containing ePHI should be assessed first. Prioritize those assets you believe (without the benefit of a detailed analysis) may be at significant risk and/or would have the greatest adverse effect on the organization if lost or breached and/or those assets of greatest importance to the business and/or those about which very little is known.
How to Prioritize:
Consider ePHI criticality, based on the nature and use of that information, when setting your priorities. Think carefully about the following three questions when setting your priorities:
- What would be the impact on the patient or member, the business, business partners, etc, if the ePHI were breached or lost?
- What would be the impact on the business’ operation if the information were no longer available or its accuracy compromised?
- What information assets or related media is at greatest risk of a breach of confidentialiy, integtrity and/or availability?
Nine (9) essential elements of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. Documentation is one of them!
As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. (July 2010). We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016