With constant advances in health information technology comes the constant need to maintain and secure e-PHI within any healthcare organization. The “Security Standards for Protection of Electronic Protected health Information,” better known as HIPAA’s “Security Rule,” requires organizations to implement policies and procedures to prevent, detect, contain and correct security violations. Completing a Risk Analysis is the first step in implementing the Security Management Process standard.
A risk analysis is a process in which the healthcare organization identifies the e-PHI that is generated, maintained, received and or transmitted. The risk analysis should also identify and analyze any internal sources that could generate, maintain, receive or transmit e-PHI, such as software programs, portable devices, hardware, interfaces, patient check-in desks, as well as external sources, such as hardware, vendors and consultants. Once all devices, programs and individuals have been identified, the healthcare organization needs to look at the likelihood of any potential risks and vulnerabilities, be it human, natural or environmental threats to those systems, that could compromise the integrity of all e-PHI within the organization. The organization must then document all areas and the impact of a potential breach, along with the corrective actions to be performed to mitigate the risk.
A risk analysis should be conducted and reassessed at least on an annual basis. In addition, a risk analysis should be completed when an organization has change in ownership, turnover in staff, or makes changes to their current technology. To request a quote on a risk analysis, please contact Jason Eding at 314-881-5252/ jeding@precisionpractice.com or Wayne Schiermeyer at 314-881-5225/ wschiermeyer@precisionpractice.com.