Our independent review is based on the standards laid out in 45 CFR §164.308(A)(1)(ii)(A) in the HIPAA Security Rule and Guidance on Risk Analysis Requirements under the HIPAA Security Rule.
The review will result in a specific scorecard vis-a-vis this standard which OCR uses in its HIPAA Security Rule enforcement actions (e.g., investigations, audits, compliance reviews). Specific recommendations in each of the nine areas will be provided.
This report will enable executives, managers, attorneys and security professionals to reduce the legal, financial and regulatory risks that may result from failure to complete a proper risk analysis. It will identify the difference between a risk analysis, a compliance gap assessment and technical testing, provide examples from OCR investigations and settlements of what regulators expect to see in a risk analysis and risk management plan, and discuss the role of attorneys and client privilege with respect to the risk analysis process.