Do you know what a HIPAA Security Risk Analysis entails? Do you know the difference between the Evaluation Standard (§164.308(a)(8)) under the HIPAA Security Administrative section and the HIPAA Security Risk Analysis Standard (§164.308(a)(1)(ii)(A)) under the same section? Do you have an idea of the expertise needed to conduct a HIPAA Security Risk Analysis?
Let’s just start with something basic: is the proper terminology to use when talking about this topic a Security Risk Analysis or a Security Risk Assessment? Even under the Department of Health and Human Services guidance you can find both terms use and referring to the same activity. Also, if you look at the regulation ((§164.308(a)(1)(ii)(A)) the same states that covered entities must:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
The question remains: what is an accurate and thorough assessment?
Then you look into the Evaluation Standard (§164.308(a)(8)) and find the following wording:
“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”
Both of these standards have different wording but when you get to the basics they seem to be talking about the same topic. My point is that conducting a HIPAA Security Risk Analysis is not easy as you have to decipher what to do, what to document, and what is sufficient to protect you from the Government and actual predators looking into breaking into your systems to make a buck.
Our recommendation is simple and comes from a phrase I hear from my wife quite often: “let a professional handle it”. So, I look at everything as having two choices:
As it relates to HIPAA Security I will make it simple for you: