What is a Security Risk Analysis?

The HIPAA Security Rule is divided into sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, Policies, Procedures and Documentation Requirements. Each of these areas must be addressed during a risk analysis. A thorough risk analysis is more than just a scan of your IT network. 75% of the security rule is policies and procedures, only 25% covers the technical aspects.

HIPAA requires covered entities and business associates to assign a HIPAA Security Officer that will be responsible for creating, implementing, and enforcing the HIPAA security policies and procedures. This responsibility should not be taken lightly because it comes with guidelines that must be followed under state and federal laws. This is not a one-person job; it is everyone’s responsibility to safeguard patient information. In fact, criminal charges can be brought against anyone who violates HIPAA for monetary gain.

The HIPAA security officer may choose to form a team to assist with the risk analysis, this may include their IT vendor, a member from each department, and of course management.  Most organizations choose to work with a company that specializes in HIPAA security since it is difficult to uncover vulnerabilities that you did not know existed.

The purpose of conducting a risk analysis is to determine if ePHI is at risk of being altered, destroyed, or accessed by unauthorized person(s). Patient data is very valuable on the black market and thus being targeted. Any organization that has access to patient data is a target. It is critical that medical practices fully vet all business associates because they could be the gateway to your patient data. Remember the Target Breach? Hackers gained access through a vendor. When conducting a risk analysis, all organizations must map the flow of data in and out of their organization. Aris is here to help those organizations who take HIPAA Compliance seriously. Compliance has never been an option, but many organizations simply do not understand what is really required. We can guide you through the process and educate your staff in protecting patient data.

Click here to learn more how we can work together and get HIPAA compliant