Purpose
To establish guidelines for risk analysis and management of ePHI. Risk management is an ongoing process to determine the value of assets and the corresponding exposure to threats and vulnerabilities. Information produced during the risk assessment will be utilized to determine and manage countermeasures critical for assurance of our ePHI resources.
Scope
NCSA Health Care Component and ACHE
Standards
Frequency
every two years
exception substantial environment changes means new impact analysis
incident that warrants reevaluation of risks
RA Components
Assets identification
Data criticality analysis
threat assessments
risk determination
mitigation strategy
Records of RA changes for past 6 years or since program inception
Process
RA
submit findings to security office in 30 days, who sends to HIPAA officers
with security office work to remdiate vulnerabilities and reduce risk within 90 days
request exemption in writing if not feasible, approved by security office and HIPAA officer
Document remediation activities
submit remediation plan to security , who sends to HIPAA officers