Regardless of the risk analysis methodology employed, your work must include these elements, HHS / OCR provided final guidance on completing a HIPAA Security Risk Analysis (45 C.F.R. § 164.308(a)(1)). Regardless of methodology (and some don’t make the grade!), HHS/OCR cites nine (9) essential elements that must be included in your risk analysis. Here’s a big tip – Check out the Clearwater Risk Analysis ToolKit™ ! …
The Clearwater Risk Analysis ToolKit™ methodology incorporates all essential HHS/OCR-specified elements of a risk analysis and extends beyond these requirements in several areas. Below, the Clearwater Risk Analysis Phases and sub-phases are mapped to the nine (9) HHS/OCR essential elements:
Clearwater Risk Analysis ToolKit™
HHS/OCR elements of a Risk Analysis
1.1. Inventory information assets, especially those handling ePHI
1.2. Document their present security controls and criticality of the applications and their data
Our Risk Analysis methodology includes inventory forms and instructions for capturing all relevant details about ePHI.
2.1. Identify threats in the environment
2.2. Identify vulnerabilities that threats could exploit
2.3. Describe the risks based on threat/vulnerability pairings
2.4. Identify existing controls
2.5. Determine the likelihood that a threat could exploit a vulnerability
2.6. Analyze the severity of the impact if the threat were to successfully exploit the vulnerability(s)
2.7. Determine and summarize the risk level
|In addition to addressing all the HHS/OCR requirements, our Risk Analysis methodology iterates through the risk planning process taking into account implementing controls or safeguards and recalculating risk.
Our Risk Analysis methodology facilitates informed decision making about risk management actions. Forms and instructions capture essential documentation throughout the process.
3.1. Recommend risk mitigation strategies for each risk
3.2. Implement applicable controls to mitigate risk
3.3. Determine residual likelihood that a threat could attack a vulnerability
3.4. Analyze the residual severity of the impact
3.5. Determine and report residual risk to senior management
4.1. Generate HIPAA Risk Analysis Executive Summary
4.2. Monitor changes in the environment, information systems, and security technology
4.3. Update the risk analysis; and implement any other controls
Our Risk Analysis methodology includes forms, templates and instructions to create appropriate documentation and management reporting.
The Clearwater HIPAA Security Risk Analysis ToolKit™ includes a robust set of worksheets and templates to help you complete your risk analysis.
As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. (July 2010). We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017