A risk analysis is the first step towards HIPAA compliance. A Security Risk Analysis basically identifies what is wrong. HIPAA defines a Risk Analysis as:
An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
Risk analysis and risk assessment are sometimes used interchangeably but they are different as defined by HIPAA. A risk analysis is a required step towards HIPAA compliance while a risk assessment is conducted if there is a breach. You conduct a risk assessment after a breach to determine if patients’ protected health information (PHI) has been compromised. This will also determine if you need to implement the HIPAA breach notification.
You don’t need any special tools or qualifications to perform a risk analysis. There are tool available that make the process a lot easier and less time consuming. Any covered entity can choose to perform the risk analysis in-house, if you have the time and expertise to do so.
Regardless of how you conduct your Risk Analysis there are certain elements it must include. Elements of a Risk Analysis are:
Scope Of The Analysis.
Data Collection.
Identify and Document Potential Threats and Vulnerabilities.
Assess Current Security Measures.
Determine the Likelihood of Threat Occurrence.
Determine the Potential Impact of Threat Occurrence.
Determine the Level of Risk.
Finalize Documentation.
Periodic Review and Updates to the Risk Assessment.
No matter how you conduct your Risk Analysis, make sure all the elements above are covered and documented. Conducting a Risk Analysis does not mean you are HIPAA compliant, its only the first step towards compliance.