A complete and thorough Risk Analysis requires a good bit of thought and documentation. The exercise is designed to make sure you think through:
- Every place you should be worried about protecting PHI
- Every way your protection scheme could be compromised
- Methods you currently use to protect PHI
- What things you should add or change to protect PHI
- How you will implement what you need to add or change
- How you will manage your protections and monitor that they are being followed
With that in mind, your process and documentation should include the following elements:
- The scope of the analysis must take into account all ePHI, regardless of the source or location or the way it is created, received, maintained or transmitted. No matter where or how it exists it must be included in the analysis and documented as such.
- The locations PHI data is stored, received, maintained or transmitted must be identified and documented.
- Identify and document reasonably anticipated threats to PHI and vulnerabilities if triggered or exploited by any threat would create a risk of inappropriate access to or disclosure of PHI.
- Assess and document security measures currently in place to safeguard PHI, defining whether security rule measures required by HIPAA are already in place; plus confirm they are configured, monitored and used properly.
- Document all threat and vulnerability combinations with associated likelihood that may impact confidentiality, availability and integrity of ePHI.
- Document all potential impacts associated with the exploit of the defined vulnerabilities.
- Assign risk levels or ratings for all threat and vulnerability combinations.
- Document a list of corrective actions to be performed to mitigate each risk level.
Once your Analysis is complete your process then turns to Risk Mitigation and Management. A description of what that includes can be found in this article.