Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hipaa security risk analysis


Published on

All ePHI associated with a covered entity must be protected as specified in the rules and regulations under the HIPAA / HITECH Security Rule defined by the OMNIBUS RULE.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Hipaa security risk analysis

  1. 1. HIPAA Security Risk Analysis All ePHI associated with a covered entity must be protected as specified in the rules and regulations under the HIPAA / HITECH Security Rule defined by the OMNIBUS RULE. This includes determining if any vulnerabilities exist in the system used for managing ePHI which could result in risks to the confidentiality, availability or integrity of this information. In addition, measures must be taken to secure this information against any potential anticipated threats that can be reasonably predicted from known factors, decreasing the risk to a reasonable level. Security Risk Analysis is the first step toward achieving this goal, and helping to prevent being sanctioned or fined during Hipaa audits. Given the looming September deadline listed in the OMNIBUS RULE, now is a good time to review and update your risk analysis and risk assessment plan before HIPAA / HITECH goes into effect. The security rule does not require specific methods of analysis be utilized as HHS recognizes that different types of analyses are appropropriate for different types of covered entities, business associates, and the specifics of the ePHI. If you are applying for Medicare / Medicaid incentive funds then you also have to demonstrate
  2. 2. compliance with the meaningful use criteria. Meaningful Use Core Measure 15 is concerned with risk analyses. This measure is met by conducting a security risk assessment and correcting any identified weaknesses. One area that many covered entities fail to attend to, is ensuring all updates are installed as they are released. It is the responsibility of the covered entity and any business associates to ensure the most recent version of the software used for risk analyses is being used. While most programs will automatically install updates or send a notification when there are updates, some may not. Software that is not the most recent version may respond to requests for risk analyses based on old definitions and factors. Should this occur it is possible subsequent risk analyses will be based on only for factors resulting from old definitions and will not be capable of looking for newer threats. This places covered entities at increased risk for breaches and may result in significant fines during Hipaa audits. Additionally, this may result in failing to meet the objectives of meaningful use core measure 15, resulting in the inability to pass the required number of meaningful use areas necessary for receiving incentive funds. It is also crucial that all business associates (BA’s) are fully compliant with the security rule and conduct regular risk analyses. They must also put into place corrective action to bring risk levels down to what is considered a “reasonable” level. In this case, reasonable would be defined in the BA contract. Similarly, BA’s must use the most recent version of software programs such that each risk assessment is based on the newest definitions or factors increasing the accuracy of the results. Covered entities cannot automatically assume there is a correlation between when updates are released for the software they use and when updates are released for software used by BA’s. It is possible that each BA is using a different methodology for conducting risk analyses as well as different software, depending on the functional capacity they provide for the covered entity.For more info please visit our site: