The risk analysis process should be ongoing. In order for an entity to update and document its security measures "as needed," which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment. HHS.gov Guidance on Risk Analysis
According to the HHS:
Risk analysis is the first step in an organization's Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (e-PHI) held by the covered entity. HIPPA Rule Specification §164.308(a)(1)(ii)(A) Risk Analysis
By assessing your Active Directory and Windows File Systems for risks you will be better prepared to document your findings and discover risks to your facility's e-PHI.
Get a free trial of DSRAZOR for Windows today!
We'll make sure you can take advantage of everything DSRAZOR has to offer.
Our rapid-response support team can assist with any questions you may have.
Need more? Just ask! We'll create a custom solution that fits your needs.