Welcome Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, Senior Privacy/Security Consultant
Risk analysis and risk management is critical to effectively plan an information security risk management program. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, CMS HHS Electronic Health Record Incentive Program (Meaningful Use Stages 1, 2 and 3), MACRA Merit-based Incentive Payment System (MIPS), and the Payment Card Industry Data Security Standard (PCI DSS) all require organizations to maintain their information security programs by periodically assessing their information risks, identifying compliance gaps, and correcting security deficiencies as part of their risk management process.
For many organizations, conducting a risk analysis can be a daunting task. Our approach to risk analysis is based upon the guidance from the National Institute of Standards and Technology (NIST) and documents created by the Department of Health and Human Services (HHS) and/or the Centers for Medicare and Medicaid (CMS)
Regardless of the size, each organization is required to comply with HITECH and the HIPAA Security Rule risk analysis requirement. The Rule requires a risk analysis of all applications including bio-medical devices that store ePHI to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate, or on behalf of the covered entity or business associate.
Risk analysis is the process of identification of threats, controls, vulnerabilities, and the rating of potential risks so that limited resources (people, time, money) can be applied where most needed.
"compliance based" with the HIPAA Security Rule. Our approach to risk analysis is not found in the HIPAA Security Rule either represent a threat, an area of risk concern, or a control: