Rightly or not, the Office for Civil Rights (“OCR”) has focused a great deal of attention on conducting periodic security risk analysis. OCR has focused so much on risk analysis that there is a common misperception in the industry that a risk analysis is the primary task needed to be “HIPAA Compliant” and secure PHI. While in actuality, conducting a risk analysis is only the first step in the risk management process.An effective risk analysis includes findings, risks, and recommendations. The output of a risk analysis is a risk management plan which is essentially a roadmap for what needs to be done to remediate the risks identified. It is the progression through the risk management plan that is the critical next step after a risk analysis is completed.
The development of the risk management plan takes the risks identified and recommended remediation activities, and produces a step-by-step plan.
Key decision makers should be included in the development of the plan. It should also include who is responsible for key duties and a targeted completion date for each. The development and implementation of the safeguards should be a critical piece of this risk management plan; but a monitoring or analysis component to determine the effectiveness of the newly implemented safeguard should also be included. A risk management plan is a living document which should be consistently updated as remediation occurs and new risks are identified.
The important thing to keep in mind is that conducting a risk analysis is not the end of the HIPAA story; rather it is just the first chapter. It should be followed by the development and progression through a risk management plan to remediate the risks identified and better secure protected health information.