Save on compliance and spend at thanksgiving!
Use coupon code TURKEY20 for 20% off.


Talk to us

Subscribe for Newsletters
HIPAA Risk Management

The HIPAA Security Standard § 164.308(a)(1)(ii)(B) requires a covered entity to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to appropriately security electronic protected health information (ePHI), as part of its risk governance strategy. It is important to note that the HIPAA Security Rule does not require specific security controls to allow the covered entity

Risk Assessment

One of the most important steps within a HIPAA risk governance program is to test compliance with the HIPAA Privacy & Security Rules. The HIPAA risk assessment process involves conducting an in-depth review and analysis of policies, procedures and documentation within the organization. This exercise requires working together with staff to test their understanding of the requirements with current policies, procedures and controls to assess potential compliance gaps of the HIPAA Privacy & Security Rule requirements.

HIPAA Risk Management steps should include:

  • Developing and implementing a risk management plan
  • Implementing appropriate controls and measures to secure electronic protected health information (ePHI)
  • Review and maintenance of the chosen security controls and measures

Developing a risk management plan

The purpose of a HIPAA Risk Management Plan is to provide a framework or structure for the covered entity to evaluate, prioritize and implement appropriate security measures to secure ePHI. The management plan must involve all key decision makers of the covered entity. The Risk Management Plan must outline roles and responsibilities, risk identification, risk analysis method and process, response and planning, monitoring, reporting, and controlling, budgeting, tools and practice for risk management, closing a risk and lessons learned.

Implementing Security Controls

After the HIPAA Risk Management Plan has been developed and approved by all key decision makers, the next step is to formulate a project plan to scope and implement the appropriate administrative, technical and physical security controls necessary to protect ePHI.

Evaluate and Maintain Security Measures

The final step in the risk management process is to evaluate and monitor the security measures that have been implemented to ensure each control in place is appropriate securing ePHI, as planned.

Questions? Call one of our HIPAA experts today at 1-800-262-8146