45 CFR §164.308(a)(1)(ii)(a) "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by
the covered entity.”
45 CFR §164.308(a)(1)(ii)(b) “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.”
Request a free
HIPAA Risk Assessment Consultation:
However, many healthcare organizations have not completed such an assessment. And while enforcement of these requirements may have been slow to take shape, the Office of Civil Rights (OCR) is now aggressively pursuing HIPPA violations… and penalties are steep.
How can we Help?
Coastal Network performs HIPAA Risk Assessments in accordance with the Security Rule administrative safeguards 45 CFR §164.308(a) (1) and incorporates the provisions of the HIPAA Security Rule.
Coastal Network's HIPAA Risk Assessment is a technical and non-technical review to identify threats and vulnerabilities relevant to your organization. Our HIPAA Risk Assessment report includes tailored recommendations to ensure the confidentiality, integrity and availability of your protected health information (PHI).
When working with Coastal Networks, you will be able to maintain regulatory compliance while strengthening overall security and lowering the risk of PHI breach.
Coastal Network's HIPAA Risk Assessment Process
Step 1: Conduct Risk Analysis
A comprehensive on-site Risk Analysis will be conducted that involves identifying risk and vulnerabilities to confidentiality, integrity and availability of ePHI in your office. The risk analysis will be performed following industry best practice standards as described by HHS, NIST, ISACA, HIMSS and AHIMA organizations which includes administrative, physical and technical safeguards. The Risk Assessment will include a risk score for measurement along with executive summaries and detailed reporting.
Step 2: Risk Management Plan
Based on the Risk Assessment, the risk management plan includes the implementation of security measures that reduce risk to reasonable and appropriate levels and protect against any reasonably anticipated threats, hazards, or disclosures of ePHI. The purpose of a Risk Management Plan is to provide structure for the evaluation, prioritization, and implementation of risk-reducing measures and controls. The risk prioritization and mitigation decisions will be determined by answering which controls and measures should be implemented and the priority in which they should be addressed based upon their risk score.
Step 3: Implementation
The implementation component of the risk management plan may vary based on the circumstance. Compliance with the Security Rule requires financial resources, management commitment, and the workforce involvement. Cost is one of the factors we must consider when determining measures and controls to fix an issue. However, cost alone is not a valid reason for choosing not to implement security measures that are reasonable and appropriate.
Step 4: Monthly Risk Profile
The final step in the risk management process is to continue evaluating and monitoring the risk mitigation measures implemented. Risk analysis and risk management are not one-time activities. Risk analysis and risk management are dynamic processes that must be periodically reviewed and updated. Our monthly risk profile will be performed monthly to identify and prioritize risks to ePHI.