The HIPAA Security Final Rule, reinforced by the HITECH Act, requires every CE and BA, in accordance with the security standards general rules (§164.306), to have a security management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.”  Here’s today’s big tip – Know the letter and the intent of the regulations; specifically, in this case, know what is required for Risk Analysis and Risk Management.  Here’s how…


The security standards include general requirements to:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the CE or BA creates, receives, maintains, or transmits
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy rule
  4. Ensure compliance with this law by its workforce

The standards are flexible in regards to approach:

  • CEs and BAs may use any security measures that allow them to reasonably and appropriately implement the standards and implementation specifications, as specified in this law
  • In deciding which security measures to use, a CE or BA must take into account the following factors:
    • The size, complexity, and capabilities of the CE or BA
    • The CE’s or BA’s technical infrastructure, hardware, and software security capabilities
    • The costs of security measures
    • The relative magnitude or levels of risks   to EPHI

In applying flexibility, however, the preamble to the Security Rule states, “Cost is not meant to free covered entities from this [adequate security measures] responsibility.”  So, be careful crying poor!

The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions for implementation of the  Security Management Process standard.

Section 164.308(a)(1)(ii)(A) states:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Big PictureHIPAA Security Risk Analysis Tips – Risk Analysis Methodology >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.