While the necessity of risk assessment
is certain, the Security Rule does not specify the frequency with which
assessment must occur. Instead, the Rule addresses the breadth of analysis
which must be conducted. The Rule indicates some considerations for analysis
which include (but are not limited to) e-PHI within the organization, external
sources of e-PHI, and potential threats to information systems that contain
e-PHI. The Security Rule recognizes, however, that risk assessment cannot be
standardized due to each organization’s unique relationship with e-PHI.
Listed below are the “Elements of a Risk Analysis”, provided by the U.S. Department of Health & Human Services.
The list is intended to aid covered entities in implementing risk analysis methodologies that will best suit their needs.
1.
Section 164.308(a)(1)(ii)(A) states: Scope of the
Analysis
2.
Data Collection
3.
Identify and Document Potential Threats and
Vulnerabilities
4.
Assess Current Security Measures
5.
Determine the Potential Impact of Threat Occurrence
6.
Determine the Level of Risk
7.
Finalize Documentation
8.
Periodic Review and Updates to the Risk Assessment
LaSalle Consulting Partners, Inc. is
familiar with several organizations that can assist with Risk Assessments. We can help in selecting the best firm to suit your needs. We can also help you
prepare for an assessment and remediate any technology related risks that are identified during an assessment. Please contact Frank Zurek at frank.zurek@lpartnersinc.com
or call 312-361-3313 for further information.
