HIPAA Security: Risk Analysis and Risk Management

The Security Management Process standard, at 164.308(a)(1)(i)) in the Administrative Safeguards section of the Security Rule, requires covered entities to "[i]mplement policies and procedures to prevent, detect, contain, and correct security violations." The Security Management Process standard has four required implementation specifications. Two of the implementation specifications are Risk Analysis and Risk Management.

The required implementation specification at 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to, "[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

The required implementation specification at 164.308(a)(1)(ii)(B), for Risk Management, requires a covered entity to "[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a) [(the General Requirements of the Security Rule)]."

Both risk analysis and risk management are standard information security processes and are critical to a covered entity's Security Rule compliance efforts. As stated in the responses to public comment in the preamble to the Security Rule, risk analysis and risk management are important to covered entities since these processes will "form the foundation upon which an entity's necessary security activities are built." (68 Fed. Reg. 8346.)

The Security Rule does not prescribe a specific risk analysis or risk management methodology.

HCP can help you complete your risk analysis and risk management activities in order to satisfy the HIPAA legal requirement and to qualify for all levels of Meaningful Use.