HIPAA risk analysis is the fulcrum for ePHI protection; yet, the principles enunciated here are general. Healthcare organizations need to select the right standard and implement it to secure their ePHI.
The responsibility for issuing annual guidance on the provisions in the HIPAA Security Rule lies with the Office for Civil Rights (OCR). Each and every ePHI of a healthcare organization is subject to the Security Rule. Since the Security Rule is essentially about securing electronic protected health information (ePHI); the OCR issues guidances which help organizations identify and implement the optimal and best suited physical, technical and administrative protections for ePHI.
The first step in helping organizations towards these goals is conducting a HIPAA risk analysis. It indispensability complying and implementing the standards set out in the Security Rule can be understood from these:
Although the OCR accords primacy to risk analysis; the outstanding feature of this rule is that it does not prescribe a specialized set of standards to each type of ePHI. Rather, it underlines broad set of principles of risk analysis, from which organizations can choose whatever suits them best.
Why the OCR does not prescribe a specific and precise set of HIPAA risk analysis guidelines for each ePHI is that the size, content, depth and variety of these records vary from one organization to another. So, having HIPAA risk analysis as the axis helps organizations use this principle as the basis for securing their ePHI.
Implementing procedures and policies aimed at identifying, preventing and rectifying security violations is a requirement for organizations. HIPAA has four required implementation specifications for giving instructions on implementing the Security Management Process standard, and HIPAA risk analysis is one of them.
Underscoring the importance of HIPAA risk analysis requirement; Section 164.308(a) (1) (ii) (A) states that conducting an exact and comprehensive assessment of the possible risks and susceptibilities that compromise the confidentiality, availability and integrity of an ePHI held by them is essential for healthcare organizations.
Healthcare organizations that carry out HIPAA risk analysis need to approach the subject using the following steps: