Risk assessment
Document assets, identify risks, and get a prioritized report of the issues you need to worry about and how you can fix them.
Where is your business at risk?
If your organization processes or stores ePHI used for diagnosis, treatment, or billing for health conditions, it is governed by HIPAA. The Security Rule requires regular risk assessments and a risk management framework to be in place.
Conducting a comprehensive risk assessment will allow you do a full 360 review of your organization. By evaluating all risks together, they can be ranked allowing you to focus your attention and resources on those that are most critical for your organization.
5 steps to reduce your risk
Define the scope of the risk assessment. Record where ePHI is stored, received, maintained or transmitted in the organization as well as associated workflows, systems, and other assets.
Identify and document reasonably anticipated threats to your operations and vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of sensitive information.
Assess and document the security measures an entity uses to safeguard confidential information, whether appropriate security measures are already in place, and if they are configured and used properly.
Assess the likelihood of threats to assets plus how they could impact confidentiality, integrity, and availability. Prioritize these risks and get a plan to address them.
Risk management is a cyclical process. Conducting regular risk assessments provides visibility to current risks to allow corrective measures for keeping your organization safe before there is a problem.