In a recent HIPAA Security Risk Analysis Tip post, we discussed Recommended Documentation to gather and maintain as part of your Risk Analysis process. Our recommendation is based on the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  One of the documentation items we strongly recommend is Planned Risk Analysis Completion Date (Indicate the month and year when that analysis will be completed for a specific information asset.   Here’s today’s big tip – Demonstrate good faith effort early and often – make plan and commit to it!  Learn the guidance; Here’s how…


A note about “Planned Risk Analysis Completion Date” is appropriate: 

Use your Information Asset Inventory worksheet as a planning tool.  That is, create a written schedule for conducting detailed risk analyses on each information asset or instance of ePHI. Based on completion of the Information Asset Inventory worksheet, you will likely have a strong sense as to which information assets containing ePHI should be assessed first.  Prioritize those assets you believe (without the benefit of a detailed analysis) may be at significant risk and/or would have the greatest adverse effect on the organization if lost or breached and/or those assets of greatest importance to the business and/or those about which very little is known.

How to Prioritize:

Consider ePHI criticality, based on the nature and use of that information, when setting your priorities. Think carefully about the following three questions when setting your priorities:

  1. What would be the impact on the patient or member, the business, business partners, etc, if the ePHI were breached or lost?
  2. What would be the impact on the business’ operation if the information were no longer available or its accuracy compromised?
  3. What information assets or related media is at greatest risk of a breach of confidentialiy, integtrity and/or availability?

Nine (9) essential elements  of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  Documentation is one of them!

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Risk Threats and Vulnerabilities, Oh MyHIPAA Security Risk Analysis Tips – Recommended Documentation >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.