HIPAA Regulatory Alert: CMS issues risk analysis and management paper
HIPAA Regulatory Alert
CMS issues risk analysis and management paper
Paper is sixth in a planned series of seven
The sixth in a planned series of seven HIPAA security rule educational papers deals with risk analysis and risk management. The rule's security management process standard has four required implementation specifications, including risk analysis and risk management.
According to CMS, both risk analysis and risk management are standard information security processes that are critical to a covered entity's security rule compliance efforts. Risk analysis and risk management are considered important to covered entities because those processes "form the foundation upon which an entity's necessary security activities are built," the agency says.
The security rule does not prescribe a specific risk analysis or risk management methodology. Rather, it gives the main concepts of the risk analysis and risk management processes and suggests that covered entities focus on the overall concepts and steps presented in the paper to tailor an approach to their organization's specific circumstances.
Examples of possible risk analysis steps are identifying the scope of the analysis, gathering data, identifying and documenting potential threats and vulnerabilities, assessing current security measures, determining the likelihood of threat occurrence, determining the potential impact of threat occurrence, determining the level of risk, and identifying security measures and finalizing documentation.
Ongoing processes
Once the analysis is complete, potential risk management steps include developing and implementing a risk management plan, implementing security measures, and evaluating and maintaining security measures.
According to CMS, as the foundation of a covered entity's security rule compliance efforts, risk analysis and risk management are ongoing processes that will provide covered entities with detailed understanding of the risks to protected health information and the security measures needed to effectively manage those risks.
"Performing these processes appropriately will ensure the confidentiality, availability, and integrity of protected health information, protect against any reasonably anticipated threats or hazards to the security or integrity of protected health information, and protect against any reasonably anticipated uses or disclosures of protected health information that are not permitted or required under the HIPAA privacy rule," CMS concluded.
Download the HIPAA educational paper at www.cms.hhs.gov/hipaa/hipaa2/education/
The sixth in a planned series of seven HIPAA security rule educational papers deals with risk analysis and risk management. The rule's security management process standard has four required implementation specifications, including risk analysis and risk management.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.