Risk Analysis is only an IT risk analysis: A thorough Risk Analysis (RA) examines the threats and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (EPHI), held by an organization. It looks at EPHI stored in computer systems (data at rest) and the EPHI flowing in and out of a corporate network (data in motion). RA seeks to determine the level of risk to the data, taking in to consideration the likelihood of occurrence of potential threats and their adverse impact on the business. The combination of high probability of threat occurrence and significant adverse impact leads to higher degree of risk.
RA takes examines the administrative, physical and technical safeguards that the organization has in place to ensure the security of EPHI. It covers people, policies, processes and technology in place and helps healthcare organizations identify and address gaps in their EPHI security.
Risk Analysis is a one-time event. Organizations change over time. Technology is constantly updated, people leave, new employees join etc. RA is needed to be conducted /reviewed on a regular basis, preferably annually, and certainly when major changes occur within an organization. Possible changes include updating security measures, implementing new policies and completion of additional security training for staff.
Risk Analysis is the responsibility of the IT department alone. RA should involve the IT personnel as well as senior management. One person, preferably in senior management, should be named the Chief Security Officer and be held accountable for all EPHI security and compliance activities
Risk Analysis is optional. RA is a required implementation specification under the Security Management Standard of the HIPAA security rule. It is also a Core Measure under the Meaningful Use attestation process.
Regardless of whether it is required by law or not, conducting a through risk analysis lays a strong foundation for the data security of any business.