The HIPAA Security Standard § 164.308(a)(1)(ii)(B) requires a covered entity to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to appropriately security electronic protected health information (ePHI), as part of its risk governance strategy. It is important to note that the HIPAA Security Rule does not require specific security controls to allow the covered entity
One of the most important steps within a HIPAA risk governance program is to test compliance with the HIPAA Privacy & Security Rules. The HIPAA risk assessment process involves conducting an in-depth review and analysis of policies, procedures and documentation within the organization. This exercise requires working together with staff to test their understanding of the requirements with current policies, procedures and controls to assess potential compliance gaps of the HIPAA Privacy & Security Rule requirements.
HIPAA Risk Management steps should include:
The purpose of a HIPAA Risk Management Plan is to provide a framework or structure for the covered entity to evaluate, prioritize and implement appropriate security measures to secure ePHI. The management plan must involve all key decision makers of the covered entity. The Risk Management Plan must outline roles and responsibilities, risk identification, risk analysis method and process, response and planning, monitoring, reporting, and controlling, budgeting, tools and practice for risk management, closing a risk and lessons learned.
After the HIPAA Risk Management Plan has been developed and approved by all key decision makers, the next step is to formulate a project plan to scope and implement the appropriate administrative, technical and physical security controls necessary to protect ePHI.
The final step in the risk management process is to evaluate and monitor the security measures that have been implemented to ensure each control in place is appropriate securing ePHI, as planned.