Security Rule compliance is only possible when an appropriate risk analysis (sometimes referred to as a risk assessment) is performed on your information systems-specically the systems and physical locations where protected health information (PHI) is stored, processed, accessed from, or transmitted. Stated another way, you must know what you are trying to protect and what you are trying to protect against before you can actually protect anything. e Department of Health and Human Services (HHS) states in the Security Rule that:
In fact, the rst step listed and recommended by HHS in the Security Rule is a required risk analysis. We must say they are generally right on target with this. You absolutely cannot secure what you do not acknowledge. For most organizations, a risk analysis typically needs to be done before starting any of your Health Insurance Portability and Accountability Act (HIPAA) security compliance eorts. One exception is when you do not have any documented information security or privacy policies and procedures to begin with; these are also key requirements, and those policies that are explicitly required (e.g., for passwords and the assignment of information security responsibilities, just to name a couple) can be created prior to or while you are performing your risk analysis. Also, some of the tiniest business associates (BAs) and subcontractors (e.g., one to three people in the organization) can often use a standardized set of policies and procedures that are specic to that size and type of business, and the similar types of risks they face. at said, they all still need to perform a formal and documented risk analysis.