The HIPAA Security Rule contains a series of standards to ensure the protection of electronic protected health information. These standards fall into one of three categories: administrative safeguards, physical safeguards, and technical safeguards. One administrative standard is known as the security management process standard. This standard requires covered entities and business associates to “Implement policies and procedures to prevent, detect, contain, and correct security violations.” To implement this standard, an entity must perform a security risk analysis, which is also referred to as a security risk assessment. A security risk analysis (SRAA) is “....an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a covered entity or business associate.
What is the Purpose of a Security Risk Analysis?
The Security Rule’s administrative safeguards requirements are designed to ensure the protection of the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. To account for changes in business practices and changes in the law, organizations should continuously conduct an SRA. According to guidance provided by the Department of Health and Human Services, “The risk analysis process should be ongoing. In order for an entity to update and
document its security measures “as needed,” which the Rule requires, it should conduct
continuous risk analysis to identify when updates are needed.” The guidance further states that “A truly integrated risk analysis and management process is performed as new
technologies and business operations are planned, thus reducing the effort required to
address risks identified after implementation.”
What is the Scope of a Security Risk Analysis?
According to guidance issued by the Department of Health and Human Services (HHS), the scope of a risk analysis that the Security Rule encompasses, includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:
Creates;
Receives;
Maintains; or
Transmits
The analysis must assess risks to ePHI in all forms of electronic media. Types of electronic media include hard drives, zip drives, flash drives, SD cards, laptops, smartphones, and other devices on which ePHI is stored or can be accessed. An SRA must take into account all ePHI, regardless of the medium in which it was created, received, maintained, or transmitted, and regardless of its source or location.
What are the Elements of a Security Risk Analysis?
A security risk analysis contains six components:
Collecting Data
Identifying and Documenting Potential Threats and Vulnerabilities
Assessing Current Security Measures
Determining the Likelihood of Threat Occurrence
Determining the Potential Impact of Threat Occurrence
Determining the Level of Risk
Need to show proof of your Security Risk Analysis?
Once you have finalized your audits please contact support@compliancygroup.com for proof of your security risk assessment.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article