Risk analyses help organizations track access to ePHI, understand threats and vulnerabilities in the environment, evaluate the effectiveness of security measures put in place and identify risks to ePHI and patient safety. They should be conducted or reviewed annually and revisited any time there is a change in the environment.
Some organizations may have internal risk management teams that perform regular risk analyses but want to engage a third party to perform the analysis on alternate years for an objective perspective on their risk exposure. Others may use a third party to conduct their annual risk analysis. Either way, a risk analysis for covered entities should include key elements in the environment such as medical devices and vendor risk.
Business associates need to comply with the risk analysis requirement for HIPAA, but they also need to meet customer requirements in business associate agreements and can use a risk analysis to demonstrate their security posture and improve their competitive position in the market. Both CEs and BAs need to demonstrate due diligence in case of a data breach or an OCR audit to show proof of risk analysis. Failure to conduct an adequate risk analysis is one of the common findings in OCR audits.