kirkpatrickprice
Risk Management 101 - Planning Your Risk Analysis
Learn more at kirkpatrickprice.com/
Planning Your Risk Analysis
What Does A Complete Risk Analysis Planning Process Look Like?
In this session, we’ll discuss the five key elements of planning a HIPAA risk analysis.
Goal
There are several goals to have in mind during your organization’s risk analysis. You should aim to create a thorough, complete planning process so that you don’t end with incomplete results. You should also aim to measure risk instead of strict compliance. Our goal for you is to teach the differences between a HIPAA risk analysis and a HIPAA gap analysis. A risk analysis asks, ““How much exposure do we have to unauthorized access or disclosure of ePHI? What else do we need to do to reduce risk?” But a gap analysis asks, “How are we doing compared to what the regulations require?”
Resources
During the planning process, you should assess your resources by asking: Who will lead the project? Do they have proper experience in conducting risk analyses? Do they have leadership support? Have they reviewed past risk analyses?
Scope
Risk Analysis applies to all electronic PHI; created, received, maintained, or transmitted. We believe that when assessing scope, you need to think in terms of ePHI processing as opposed to systems. Where does PHI enter and leave your entity? We also believe that creating an ePHI workflow is key in having a complete risk analysis. The issue with ranking risks and implementing controls without a flow is that you may leave gaps between systems.
Information Gathering
There are many places to look when gathering information: information gathered in ePHI flow research, past and present ePHI projects, information security incidents, interview with key staff, documentation review, etc. It may seem obvious, but we’ll say it anyways: document your information gathering. The OCR has indicated in its security series that entities should document information on ePHI during this information collection phase
Perspectives
When you’ve completed the planning process, you might wonder: How do we ensure that we’ve accurately captured all of the information we need to properly complete a risk analysis? There are two ways to check yourself: internal and external resources. This is an appropriate time to bring in individuals who aren’t leading the project and present your findings to them. Or, you could find a third party who has expertise and who can help you decide whether you’re ready to conduct a risk analysis.
Download the full webinar to hear Mark Hinely’s case study breakdown and the Q&A portion.
Risk Management 101 - Planning Your Risk Analysis
Learn more at kirkpatrickprice.com/
Planning Your Risk Analysis
What Does A Complete Risk Analysis Planning Process Look Like?
In this session, we’ll discuss the five key elements of planning a HIPAA risk analysis.
Goal
There are several goals to have in mind during your organization’s risk analysis. You should aim to create a thorough, complete planning process so that you don’t end with incomplete results. You should also aim to measure risk instead of strict compliance. Our goal for you is to teach the differences between a HIPAA risk analysis and a HIPAA gap analysis. A risk analysis asks, ““How much exposure do we have to unauthorized access or disclosure of ePHI? What else do we need to do to reduce risk?” But a gap analysis asks, “How are we doing compared to what the regulations require?”
Resources
During the planning process, you should assess your resources by asking: Who will lead the project? Do they have proper experience in conducting risk analyses? Do they have leadership support? Have they reviewed past risk analyses?
Scope
Risk Analysis applies to all electronic PHI; created, received, maintained, or transmitted. We believe that when assessing scope, you need to think in terms of ePHI processing as opposed to systems. Where does PHI enter and leave your entity? We also believe that creating an ePHI workflow is key in having a complete risk analysis. The issue with ranking risks and implementing controls without a flow is that you may leave gaps between systems.
Information Gathering
There are many places to look when gathering information: information gathered in ePHI flow research, past and present ePHI projects, information security incidents, interview with key staff, documentation review, etc. It may seem obvious, but we’ll say it anyways: document your information gathering. The OCR has indicated in its security series that entities should document information on ePHI during this information collection phase
Perspectives
When you’ve completed the planning process, you might wonder: How do we ensure that we’ve accurately captured all of the information we need to properly complete a risk analysis? There are two ways to check yourself: internal and external resources. This is an appropriate time to bring in individuals who aren’t leading the project and present your findings to them. Or, you could find a third party who has expertise and who can help you decide whether you’re ready to conduct a risk analysis.
Download the full webinar to hear Mark Hinely’s case study breakdown and the Q&A portion.