A Risk Analysis is not only a good idea, it is required by law!
What Is A Risk Analysis?
A Risk Analysis is an assessment of the risks and vulnerabilities to any sensitive information that your organization may collect, store, process, transmit, or share with others.
Why Perform A Risk Analysis?
A Risk Analysis may be required by federal or state law, by mandate, or by an organization with which you do business. If your organization deals with sensitive information, you are probably required to perform some level of Risk Analysis.
What Constitutes Sensitive Information?
If you collect, store, process, or transmit information like Social Security Numbers, Credit Card Numbers, Bank Account numbers, health information about an individual, or other non-public information about a person, chances are it represents sensitive information, and a Risk Analysis is a required first step for your organization!
So, Focusing On Health Organizations And The Healthcare Industry
There are very specific mandates and laws regarding the need for companies that deal with health information to conduct a Risk Analysis and associated activities. For example:
HIPAA & HITECH Require Risk Analysis
You may have heard of HIPAA and HITECH. These are federal regulations that affect Covered Entities, Business Associates, and Clearinghouses. Basically any Organization or person providing health-related services such as a Physician, Hospital, Chiropractor, and even a Dentist Office are Covered Entities. Any company those Covered Entities share health information with is a Business Associate. Even insurance companies and their agents need to be aware of HIPAA and HITECH requirements. A foundational requirement of the HIPAA and HITECH laws is that all of these Covered Entities and Business Associates must “Conduct a comprehensive and thorough assessment of the potentials risks and vulnerabilities to the confidentiality, integrity, and availability of all Protected Health Information.”
OCR Guidance on Risk Analysis
The Office of Civil Rights very recently published guidance on Risk Analyses. That guidance clearly states that, “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with, and carry out, the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational…”. Further, OCR tells us that, “All EPHI created, received, maintained, or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.” RISC Management and Consulting can help you satisfy this foundational requirement.
Meaningful Use Requirements Include Risk Analysis
Meaningful Use translates to increased payments and reimbursements to Physicians and Hospitals!Demonstrating Meaningful Use of an Electronic Health Record requirement number 15 tells organizations that they must, “Implement systems to protect the privacy and security of patient data.” Organizations seeking to demonstrate Meaningful Use must, “Conduct or review a security risk analysis and implement security updates as necessary, and correct identified security deficiencies.” Without performing a Risk Analysis and managing the Risk findings, you will not receive Meaningful Use payments! Please visit our Meaningful Use page to learn more.
RISC Management, Your Solution
RISC Management and Consulting was founded by healthcare professionals that understand your business as well as the laws that affect sensitive information. RISC Management can help you do what you are mandated to do, in a timeline that meets your needs, and in a way that is sensitive and understanding of your primary mission – Delivering quality healthcare services to your clients in an ethical and profitable way.
RISC Management Delivers
As a part of the Risk Analysis, RISC Management and Consulting will list every requirement of the HIPAA Security Rule including every Safeguard, Standard, and Implementation Specification in an understandable format that identifies an organization’s state of compliance with the requirement, recommended remediation activity, and associated risk priority. All remediation activities will be listed according to the level of risk they represent to the organization and the sensitive information. Your RISC Analysis Report will be an actionable document that provides both executive level and in depth findings appropriate for all audiences from IT staff to the Board of Directors.