The Department of Health and Human Services requires organizations to conduct a risk analysis as the first step toward implementing safeguards specified in the HIPAA Security Rule, and ultimately achieving HIPAA & HITECH compliance. As required by the HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. No specific methodology was indicated. However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.
All CEs are required to conduct a Risk Assessment to identify and provide solutions to risks, as well as perform periodic assessments of how well their security policies and procedures are meeting the requirements of the HIPAA Security Rule.
RISK ANALYSIS – §164.308(a)(1)(ii)(A)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization.