The first step in HIPAA Compliance is to conduct a Risk Analysis. Your practice can commission Codex Techworks to conduct a security risk analysis for your practice. The resulting “Security Risk Analysis Report” will summarize the results of the risk assessment process, whereby we take the opportunity to assess the vulnerabilities that could be exploited by internal and external threats faced by your practice.
The purpose of the risk assessment is to identify situations where Electronic Protected Health Information (“ePHI”) could be disclosed without proper authorization, improperly modified, or made unavailable when needed. This information is subsequently used to examine whether current safeguards are sufficient, and if not, what additional actions are needed to reduce risk to an acceptable level.
The scope of the risk assessment and analysis is limited to the security controls applicable to your practice’s “system environment” relative to its conformance with the Health Information Portability and Accountability Act of 1996 (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). Security controls in the areas of policies, procedures, computer hardware and software, patient data, operations, administration, management, information, facility, communication, personnel, and contingency are addressed.
The Risk Analysis is based primarily on the methodologies described in National Institute of Standards and Technology (“NIST”) Special Publication (SP) 800-30 Risk Management Guide for Information Technology Systems (“NIST SP 800-30”) and other documents issued by the U.S. Department of Health and Human Services (“HHS”), as well as other sources.
NIST SP 800-30 outlines a nine-step process to determine the extent of potential threats and the associated risk to your practice and qualitative and semi-qualitative methodologies will be used to conduct the Risk Analysis as well.
As defined in NIST SP 800-66, “An Introductory Resource Guide for Implementing the HIPAA Security Rule,” a risk is the potential impact that a threat can have on the confidentiality, integrity, and availability of ePHI by exploiting a vulnerability. While it is not possible that all such risks have been identified with absolute certainty, Codex Techworks will identify as many as possible and offer recommendations for remediation.