HIPAA Security Risk Analysis & Mitigation

Risk Analysis is the starting point for a good data risk management strategy. You can’t manage your risks if you don’t know what they are. First you identify your risks and figure out what you are going to do about them (analysis).  Then you implement your remediation plan to address the risks (mitigation). Security Risk Analysis & Mitigation are required under Federal Law. The HIPAA Final Security Rule specifies 78 safeguards to protect the confidentiality, integrity, and availability of patient data (Protected Health Information or PHI). A written risk analysis is one of them. 

slide_1

HIPAA Security Risk Analysis

The purpose of a Risk Analysis is to identify your risks and create a plan of action to mitigate them. A well-documented and thorough risk analysis is the critical first step towards protecting sensitive data. It’s no surprise then, that a written security risk analysis is the first document you are asked to produce in an audit by the Department of Health & Human Services Office for Civil Rights, which is the watchdog for HIPAA.

Risk Mitigation

Risk Mitigation means eliminating risks or at least reducing them to an acceptable level. Your risk analysis produced a prioritized plan of action to address the identified risks. Risk mitigation is the execution of that plan. You can’t do everything at once. So mitigation occurs over time. For HIPAA compliance, it is important to document the measures you have taken to remediate the risks associated with PHI.