Completed a Risk Analysis...Now What?

businessman hand draws business success chart concept on virtual screen.jpeg

OCR has focused so much on risk analysis that there is a common misperception in the industry that a risk analysis is the primary task needed to be “HIPAA Compliant” and secure PHI. While in actuality, conducting a risk analysis is only the first step in the risk management process.

Next Steps After Risk Analysis

Rightly or not, the Office for Civil Rights (“OCR”) has focused a great deal of attention on conducting periodic security risk analysis. OCR has focused so much on risk analysis that there is a common misperception in the industry that a risk analysis is the primary task needed to be “HIPAA Compliant” and secure PHI. While in actuality, conducting a risk analysis is only the first step in the risk management process.

Creating Your Roadmap

An effective risk analysis includes findings, risks, and recommendations. The output of a risk analysis is a risk management plan which is essentially a roadmap for what needs to be done to remediate the risks identified. It is the progression through the risk management plan that is the critical next step after a risk analysis is completed.

Development of Risk Management Plan

The development of the risk management plan takes the risks identified and recommended remediation activities, and produces a step-by-step plan. Key decision makers should be included in the development of the plan. It should also include who is responsible for key duties and a targeted completion date for each.  The development and implementation of the safeguards should be a critical piece of this risk management plan; but a monitoring or analysis component to determine the effectiveness of the newly implemented safeguard should also be included. A risk management plan is a living document which should be consistently updated as remediation occurs and new risks are identified.  

The important thing to keep in mind is that conducting a risk analysis is not the end of the HIPAA story; rather it is just the first chapter. It should be followed by the development and progression through a risk management plan to remediate the risks identified and better secure protected health information.



Download our free ebook "Top Excuses for Ignoring Cybersecurity"

Screen Shot 2018-01-24 at 1.53.11 PM.png

In this ebook:

  • A look at the increasing risk that healthcare organizations face
  • Statistics that show IT and cyber need more resources and emphasis
  • Easy, actionable tips on improving your security now. 
  • Top cybersecurity trends of recent years