HIPAA security Rule - RISK ANALYSIS AND RISK MANAGEMENT REQUIREMENTS
Risk analysis and risk management are on going processes that will provide the covered entity with a detailed understanding of the risks to EPHI and the security measures needed to effectively manage those risks. The Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. Performing these processes appropriately will ensure the confidentiality, availability and integrity of EPHI, protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI, and protect against any reasonably anticipated uses or disclosures of EPHI that are not permitted or required under the HIPAA Privacy Rule.
What are the Risk Analysis and Risk Management Requirements?
The Security Rule requires covered entities to evaluate risks and vulnerabilities in their environments and to implement policies and procedures to address those risks and vulnerabilities.
- Risk Analysis, requires a covered entity to, "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity"
- Risk Management, requires a covered entity to "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level"