RISK ANALYSIS

Cited - "healthit.gov"

Did you know that HIPAA requires health care providers to conduct a risk analysis?

Two sets of rules were adopted to implement the provisions of HIPAA: the Privacy Rule and the Security Rule. The Privacy Rule applies to all forms of protected health information — oral, written, or electronic. The Security Rule applies only to electronic protected health information (ePHI).

Under the Security Rule, covered entities are required to conduct a risk analysis of ePHI exposures. A risk analysis is defined as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” A requirement of the Security Management Process standard in the Security Rule states that all covered entities must “implement policies and procedures to prevent, detect, contain, and correct security violations.”

Your practice could be at risk for violations of the Security Rule if you:

have electronic health records;
have not conducted a risk analysis; and are audited or investigated for compliance with HIPAA.

Download Privacy and Security of Health Information Guide