The HIPAA Security Rule requires organizations to conduct a system wide risk analysis and then maintain updates. Even though it is stated you may conduct a risk analysis every other year or every third year, the Office for Civil Rights (the agency that enforces HIPAA privacy and security violations) recommends annual updates due to technology changes and employee turnover. From the risk analysis you are required to develop an action plan to mitigate vulnerabilities that pose a threat to the confidentiality, integrity, and availability of protected health information (PHI).
If you participate in MIPS, this is an annual requirement.
Once you have completed your profile, continue to Step 1 and complete the HIPAA Risk Analysis Questionnaire. If you do not complete this in one session, do not worry, the system will bring you back where you left off. It is important to answer the questions to the best of your ability.
Once you complete the questionnaire, the last question asked if you want to create the Risk Management plan. You can say no and come back in case you are not sure about some of the answers. You must answer all the questions, then you will be able to see the “list” of questions and easily change which ones you need to. Once you are satisfied with your answers, change the answer to "Yes, I want to create the Risk Management Plan". Email email@example.com after you have created the Risk Management Plan. One of our security analysts will review your risk analysis to ensure you understood the questions. If they have any questions, they will email you. Then we will ask you to review the Risk Management Plan and approve. This is a large document and may take several seconds to open. Using the outside scroll bar, you may scroll down to see more of the page, use the inside scroll bar to scroll the document.
The first 9 pages are information about the Risk Management Process, starting on page 10 is the Risk Analysis and Risk Management summary from the questionnaire.
As you proceed through the “Steps”, you will be asked a series of questions and you will answer by either uploading your policies (or documents) or generating a policy (or downloading a document). If you choose to upload your own policies, be sure to read the side bar with information about what the policy is required to contain. If you choose to generate a policy you will have the opportunity to modify it, if needed. Once you are satisfied with the policy, then you will approve it. This process signs and dates the policy.
When there are changes or updates to the HIPAA rules, Aris will update the policies and you will have the opportunity to review the changes and approve them. If you upload your own policies, this feature will not be available to you.
If at any time you have a question or do not understand something, we have a knowledge base for frequently asked questions and we have a support ticketing system. Simply scroll to the bottom of the page and click on the appropriate link.