What is a Security Risk Analysis?

Whether you are a Covered Entity or a Business Associate, you both must adhere to HIPAA. In fact any entity that accesses, creates, stores, or maintains Protected Health Information must adhere to HIPAA. The starting point is a Security Risk Analysis.

computer_chainsFirst of all what it is NOT, is just a scan of your computer network. A Security Risk Analysis (SRA) is an analysis of what you have in place to protect data, namely your Electronic Protected Health Information (ePHI). This analysis includes your Administrative, Physical, and Technical Safeguards as well as Organizational Requirements, your Policies, Procedures, and Documentation you have in place to protect patient data.

Not only is this a requirement under the Security Rule of 2005, it is a requirement under Meaningful Use – Core Measure “Protect Electronic Health Information”. The Security Rule covers many areas. The Health and Human Services Security Matrix makes it easier to follow because it is divided into sections.


 Administrative Safeguards

Administrative Safeguards is the first section of the HHS Security Matrix that focuses on internal processes, policies, procedures, and security measures that protect electronic health information.

§ 164.308(a)(1)(ii)(A) Risk Analysis; A Risk Analysis of your organizations policies and procedures you currently have in place to protect your ePHI is required to be performed. This process includes Administrative, Physical, and Technical Safeguards you have in place.

§ 164.308(a)(1)(ii)(B) Risk Management; Once you have identified vulnerabilities you are required to put a Risk Management Plan in place to correct those deficiencies.

§ 164.308(a)(1)(ii)(C) Sanction Policy; Your employees are required to understand the sanctions that will be imposed on them should they violate the policies and procedures you have.

§ 164.308(a)(1)(ii)(D) Information System Activity Review; This is how you will monitor your employees and authorized persons or companies that access your ePHI. This process can also detect outside access to your information system. This is commonly known as Audit Logs.

If you would like more information about Aris Medical Solutions 7 Simple-Steps to HIPAA Compliance

call 877.659.2467 or contact us