What Does A Complete Risk Analysis Planning Process Look Like?
Why are we spending time on three separate sessions about risk analysis? A formal risk analysis is required under the Security Rule, it’s something organizations consistently struggle with, and it has benefits beyond meeting the Security Rule requirement. Let’s get started.
In this session, we’ll discuss the five key elements of planning a HIPAA risk analysis.
- Goal: There are several goals to have in mind during your organization’s risk analysis. You should aim to create a thorough, complete planning process so that you don’t end with incomplete results. You should also aim to measure risk instead of strict compliance. Our goal for you is to teach the differences between a HIPAA risk analysis and a HIPAA gap analysis. A risk analysis asks, ““How much exposure do we have to unauthorized access or disclosure of ePHI? What else do we need to do to reduce risk?” But a gap analysis asks, “How are we doing compared to what the regulations require?”
- Resources: During the planning process, you should assess your resources by asking: Who will lead the project? Do they have proper experience in conducting risk analyses? Do they have leadership support? Have they reviewed past risk analyses?
- Scope: Risk Analysis applies to all electronic PHI; created, received, maintained, or transmitted. We believe that when assessing scope, you need to think in terms of ePHI processing as opposed to systems. Where does PHI enter and leave your entity? We also believe that creating an ePHI workflow is key in having a complete risk analysis. The issue with ranking risks and implementing controls without a flow is that you may leave gaps between systems.
- Information Gathering: There are many places to look when gathering information: information gathered in ePHI flow research, past and present ePHI projects, information security incidents, interview with key staff, documentation review, etc. It may seem obvious, but we’ll say it anyways: document your information gathering. The OCR has indicated in its security series that entities should document information on ePHI during this information collection phase
- Perspectives: When you’ve completed the planning process, you might wonder: How do we ensure that we’ve accurately captured all of the information we need to properly complete a risk analysis? There are two ways to check yourself: internal and external resources. This is an appropriate time to bring in individuals who aren’t leading the project and present your findings to them. Or, you could find a third party who has expertise and who can help you decide whether you’re ready to conduct a risk analysis.
Download the full webinar to hear Mark Hinely’s case study breakdown and the Q&A portion. Contact us today for more information on risk management.