Risk Analysis & Risk Management Policy

5. Procedures

1. RISK ANALYSIS PROCESS

1.1 Asset Inventory: Identify and document all systems, applications, and locations where ePHI is created, received, maintained, or transmitted. Include hardware (servers, workstations, laptops, mobile devices, fax machines, copiers), software (EHR, PM, patient portal, email, cloud services), and physical locations (server rooms, file storage, off-site storage).

1.2 Threat Identification: Identify and document all reasonably anticipated threats to each asset. Consider natural threats (floods, earthquakes, power outages), human threats (unauthorized access, hackers, disgruntled employees, social engineering), and environmental threats (HVAC failure, water damage, fire).

1.3 Vulnerability Identification: For each asset, identify vulnerabilities that could be exploited by identified threats. Review current security measures in place and their effectiveness. Sources include system logs, prior risk assessments, vendor security bulletins, and workforce interviews.

1.4 Current Controls Assessment: Document existing safeguards (administrative, physical, and technical) that protect ePHI. Evaluate the effectiveness of each control.

1.5 Likelihood Determination: For each threat-vulnerability pair, estimate the probability that the threat will exploit the vulnerability given current controls. Use a consistent scale: High (likely to occur within the next year), Medium (possible within the next year), Low (unlikely within the next year).

1.6 Impact Analysis: Determine the potential impact if a threat successfully exploits a vulnerability. Consider impact to patient care, financial loss, reputational harm, and regulatory penalties. Use a consistent scale: High (major disruption, significant data loss, or harm to patients), Medium (moderate disruption or limited data exposure), Low (minimal disruption, no data exposure).

1.7 Risk Determination: Calculate the risk level for each threat-vulnerability pair by combining likelihood and impact ratings. Document all findings in the Risk Register.

2. RISK MANAGEMENT PROCESS

2.1 For each identified risk rated Medium or High, the Security Officer shall determine the appropriate response: mitigate (implement additional safeguards), accept (document the business justification for accepting the risk), transfer (shift risk via insurance or business associate agreements), or avoid (eliminate the activity that creates the risk).

2.2 Develop a remediation plan for all risks to be mitigated. Each remediation item must include: the specific safeguard to be implemented, the responsible party, the target completion date, and the expected residual risk level after implementation.

2.3 Implement approved remediation actions within the documented timeframe.

2.4 After implementation, re-evaluate the risk level to confirm the residual risk is at an acceptable level.

3. DOCUMENTATION AND REVIEW

3.1 Maintain all risk analysis and risk management documentation for a minimum of six (6) years from the date of creation or the date it was last in effect, whichever is later, per 45 CFR § 164.316(b)(2)(i).

3.2 Review and update the risk analysis at least annually, and whenever significant changes occur (new technology, new business operations, new threats identified, security incidents, or regulatory changes).

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Leads the risk analysis and risk management process. Maintains the Risk Register. Presents findings and remediation recommendations to practice leadership. Ensures documentation is complete and retained.

Privacy Officer ([PRIVACY OFFICER NAME]): Collaborates on risk analysis for systems containing PHI. Ensures privacy considerations are incorporated into risk management decisions.

Practice Administrator/Owner ([ADMINISTRATOR NAME]): Reviews and approves the risk analysis findings and remediation plan. Allocates resources for risk remediation. Accepts residual risk where appropriate with documented business justification.

IT Manager/Vendor ([IT CONTACT NAME]): Provides technical information about systems, configurations, and existing controls. Implements technical remediation measures. Assists with vulnerability scanning and system assessments.

All Workforce Members: Report suspected vulnerabilities or security concerns to the Security Officer. Cooperate with risk analysis activities including interviews and system assessments.

7. Review Schedule

This policy and the associated risk analysis shall be reviewed and updated at least annually, and following any of the following trigger events: deployment of new technology or systems that interact with ePHI; significant change in business operations (e.g., new practice location, merger, or acquisition); identification of a new threat or vulnerability; a security incident or breach; changes to applicable regulations. The review date and any updates shall be documented in the policy revision history. Per 45 CFR § 164.308(a)(8), periodic technical and non-technical evaluations must confirm the ongoing effectiveness of security measures.

8. Regulatory References

45 CFR § 164.308(a)(1)(i) — Security management process (Required) 45 CFR § 164.308(a)(1)(ii)(A) — Risk analysis (Required) 45 CFR § 164.308(a)(1)(ii)(B) — Risk management (Required) 45 CFR § 164.308(a)(8) — Evaluation (Required) 45 CFR § 164.316(b)(1) — Documentation requirements 45 CFR § 164.316(b)(2)(i) — Time limit for document retention (6 years) NIST SP 800-30 — Guide for Conducting Risk Assessments HHS Security Risk Assessment Tool (available at healthit.gov)