We know that HITECH/HIPAA compliance requires covered entities and business associates to proactively manage security risks, but what does that mean? In simple terms, it means that healthcare organizations which use ePHI must conduct a risk analysis (45 CFR 164.308(a)(1)(ii)(A)) and address the problems identified in that exercise.

Risk Management is a Balancing Act

From a very practical perspective, a completed risk analysis offers a prioritized list of security risks to be addressed with risk mitigation strategies. The classic formula for calculating risk is:

Risk = Impact * Likelihood

First, the organization identifies areas of risk. Each risk is then categorized according to its potential impact or “harms”: Low, Medium, High or Critical. The third step is to evaluate the likelihood that any given risk will be realized.

In a world with inherently scarce resources, leadership needs this kind of information to effectively direct design and implementation of risk remediation action plans.

And, of course, every step is thoroughly documented to demonstrate the steps an organization has taken to ensure data security.

Clearwater Compliance

Clearwater Compliance helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.