Welcome Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, Senior Privacy/Security Consultant
A judgment about something based on an understanding of the situation; a method of evaluating performance [high-level]
The close examination of something in detail in order to understand it better or draw conclusions from it; the separation of something into its constituents in order to find out what it contains, to examine individual parts, or to study the structure of the whole [detailed]
Source: Encarta Dictionary
A systematic and ongoing process of identifying threats, controls, vulnerabilities, likelihood (or probability), impact, and an overall rating of risk (If any of these steps (words) are missing - it's not a risk analysis.)
Unfortunately, the federal government and others use the word "assessment" to often mean "analysis" which only adds confusion. This is something we commonly do in language. We refer to any gelatin dessert as "Jello," although it could be a different brand. We do the same with "Coke" and "Kleenex."
Your first comprehensive security risk analysis should follow a systematic approach that covers all security risks. It should:
Guide to Privacy and Security of Electronic Health Information
(April 2015, pages 41 and 42)
HIPAA Security Rule - §164.308(a)(1)(ii)(A) Risk analysis (Required)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity [or business associate].