One of the first requirements under the HIPAA Security Rule is that organizations and medical practices in Wisconsin must conduct a security risk analysis. Covered entities must conduct a thorough and accurate assessment of the potential vulnerabilities and risks to the integrity, availability, and confidentiality of their electronic protected health information (ePHI).
The Office for Civil Rights (OCR) necessitates that the risk analysis must contain the following items:
- Scope of the Analysis
The scope must include the risks to the integrity, availability, and confidentiality of all ePHI within the organization.
- Data Collection
In addition to the scope, an organization must determine where ePHI is created, stored, received, and transmitted. This must be documented.
- Identify and Document Potential Vulnerabilities and Threats
The security risk analysis must show that the organization can identify and document possible threats to its ePHI.
- Evaluate Current Security Measures
Organizations should evaluate and document security measures used to safeguard its ePHI (i.e. processes and procedures).
- Determine the Probability of Threat Occurrence
The security risk analysis must address the probability of the threat or risk to ePHI.
- Determine the Probable Effect of Threat Occurrence
Along with the probability of the threat, the Security Rule also requires for the consequences or impact of the potential risk to the ePHI to be reviewed.
- Determine the Risk Level
Organizations must include the risk level in their security risk analysis. This should include the assigned risk levels and a list of corrective actions to address each risk.
- Finalize Documentation
While the Security Rule requires the risk analysis to be documented, it does not specify a format.
- Regular Reviews and Updates to the Risk Assessment
The security risk analysis must be ongoing. While the Security Rule does not specify how frequently it should be done, annual risk assessment is recommended.
Organizations should work with a trusted advisor who can help determine and establish an effective risk analysis program. Contact Acuity Revenue Consulting, your trusted provider of medical consulting in Mequon, Wisconsin, if you have any inquiries or want to discuss your risk analysis options.