HIPAA & HITECH Part 3: Assessments & Risk Analysis

Privacy and Security Assessments and Risk Analysis processes are administrative safeguards mandated by HIPAA/HITECH. The private and secure management of PHI requires mapping out how PHI/ePHI moves into and through various departments and divisions, how PHI/ePHI is used and disclosed by each department and division, and plans for protection of PHI/ePHI in various types of catastrophic events. Documentation derived from these assessments and analyses is essential to a viable Compliance Plan and some of the first documents likely to be requested for review in an OCR audit. In 5 Sections, Part 3 provides guidelines for conducting:

1. Privacy Assessments - Section 1
2. Security Assessments - Section 2
3. Risk Analysis - Section 3

Part 3 also provides guidelines for incorporating the data derived from these processes into its documented Compliance Plan (Sections 4 and 5). Documentation developed from Part 3 can be produced at OCR audits to demonstrate HIPAA/HITECH Compliance efforts.

• Anyone responsible for creating and implementing a HIPAA and HITECH compliance plan within their organization