Completed a Risk Analysis...Now What?

by Adam Bullian | Jun 12, 2018 | Risk Analysis

computer-1591018_1920Rightly or not, the Office for Civil Rights (“OCR”) has focused a great deal of attention on conducting periodic security risk analysis. OCR has focused so much on risk analysis that there is a common misperception in the industry that a risk analysis is the primary task needed to be “HIPAA Compliant” and secure PHI. While in actuality, conducting a risk analysis is only the first step in the risk management process.An effective risk analysis includes findings, risks, and recommendations. The output of a risk analysis is a risk management plan which is essentially a roadmap for what needs to be done to remediate the risks identified. It is the progression through the risk management plan that is the critical next step after a risk analysis is completed.

The development of the risk management plan takes the risks identified and recommended remediation activities, and produces a step-by-step plan.

Key decision makers should be included in the development of the plan. It should also include who is responsible for key duties and a targeted completion date for each. The development and implementation of the safeguards should be a critical piece of this risk management plan; but a monitoring or analysis component to determine the effectiveness of the newly implemented safeguard should also be included. A risk management plan is a living document which should be consistently updated as remediation occurs and new risks are identified.  

The important thing to keep in mind is that conducting a risk analysis is not the end of the HIPAA story; rather it is just the first chapter. It should be followed by the development and progression through a risk management plan to remediate the risks identified and better secure protected health information.



Compliance and security are complex, but they don't have to be hard to comprehend. Check out our resources page for more educational ebooks, presentations, infographics, and more!

View All Resources

Our resources are compiled by our experts here at QI Express. With backgrounds in information technology consultation, IT systems design, audits, law, and patient-facing clinical roles, our team is able to leverage a unique scope of experience to deliver the most comprehensive educational material possible.