What is a risk analysis and risk management plan and why do I need them?

The HIPAA Security Rule requires organizations to conduct a system wide risk analysis and then maintain updates. Even though it is stated you may conduct a risk analysis every other year or every third year, the Office for Civil Rights (the agency that enforces HIPAA privacy and security violations) recommends annual updates due to technology changes and employee turnover. From the risk analysis you are required to develop an action plan to mitigate vulnerabilities that pose a threat to the confidentiality, integrity, and availability of protected health information (PHI). 

Once you have completed your profile, continue to Step 1 and complete the HIPAA Risk Analysis Questionnaire. If you do not complete this in one session, do not worry, the system will bring you back where you left off. It is important to answer the questions to the best of your ability. 

Once you complete the questionnaire, the last question asked if you want to create the Risk Management plan. You can say no and come back in case you are not sure about some of the answers. You must answer all the questions, then you will be able to see the “list” of questions and easily change which ones you need to. Once you are satisfied with your answers, change the answer to "Yes, I want to create the Risk Management Plan". Email support@arismedicalsolutions.com after you have created the Risk Management Plan. One of our security analysts will review your risk analysis to ensure you understood the questions. If they have any questions, they will email you. Then we will ask you to review the Risk Management Plan and approve. This is a large document and may take several seconds to open. Using the outside scroll bar, you may scroll down to see more of the page, use the inside scroll bar to scroll the document.

The first 9 pages are information about the Risk Management Process, starting on page 10 is the Risk Analysis and Risk Management summary from the questionnaire.

As you proceed through the “Steps”, you will be asked a series of questions and you will answer by either uploading your policies (or documents) or generating a policy (or downloading a document). If you choose to upload your own policies, be sure to read the side bar with information about what the policy is required to contain. If you choose to generate a policy you will have the opportunity to modify it, if needed. Once you are satisfied with the policy, then you will approve it. This process signs and dates the policy.

When there are changes or updates to the HIPAA rules, Aris will update the policies and you will have the opportunity to review the changes and approve them. If you upload your own policies, this feature will not be available to you.

If at any time you have a question or do not understand something, we have a knowledge base for frequently asked questions and we have a support ticketing system. Simply scroll to the bottom of the page and click on the appropriate link. 

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to add to the Uploads Tab?

This is where you may upload reports you receive from your IT vendors, OIG (Office of Inspector...

What are audit logs and why do I need them?

Audit logs are sometimes called access logs. They are located in a variety of places, depending...

What type of reports do I need from my IT vendor?

Monthly reports from your IT company will depend on the system they use. Here are some examples...

How to access the HIPAA compliance system?

Instructions on log-in and profile Each time you log-in, you will be taken to the billing side...

How to add the inventory list?

Inventory tab is located on your Profile page. You will have a choice of entering the...