The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information. In addition, the Security Rule requires each healthcare organization to conduct an annual Security Risk Analysis as the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

The HIPAA Security Risk Assessment (HIPAA SRA) consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information (ePHI). In its guidance, OCR lays out nine elements that risk analysis must include.

  • Scope of analysis
  • Data collection
  • Identify and document potential threats and vulnerabilities
  • Assess current security measures
  • Determine the likelihood of threat occurrence
  • Determine the potential impact of threat occurrence
  • Determine the level of risk
  • Finalize documentation
  • Periodic review and updates to the risk analysis

The HPS Solution

As part of our extensive HIPAA compliance program, HPS Solutions’ experienced healthcare consultants partner with our clients and their information technology support vendors to conduct the annual HIPAA SRA. The initial analysis serves as the foundation for subsequent annual reviews that are required to maintain compliance with both HIPAA and MACRA MIPS.