(ii) Implementation specifications:

 (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

Tell Me More:

The Risk Management implementation specification requires covered entities to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Security professionals generally define risk management as a process for identifying, selecting, and implementing controls, countermeasures, reporting, and verification to achieve an appropriate level of risk at an acceptable cost. Effective risk management requires leadership and accountability—without these key individual attributes, a risk management exercise is generally doomed.

Someone must be accountable and have the ability to make complex and often difficult decisions. This individual will ultimately determine what level of threat and risk is appropriate and acceptable. This individual is also generally able to allocate resources for achieving the target levels.

Risk Management requires covered entities to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

A complete set of HIPAA Security Policies and Procedures may be purchased here.

References:

Series Navigation<< 164.312(c)(1) Technical safeguards – Standard: Integrity164.316(b)(2)(ii) Standard: Documentation – Availability >>