HIPAA and Risk Analysis

Risk assessment is key to many information standards, but for none is it more important than HIPAA. HIPAA provisions, at its core, require a risk analysis by your organization on a regular basis. That risk analysis needs to encompass all information systems and controls used in the delivery of the services to which HIPAA is relevant. And it makes sense to drive that to a companywide risk analysis – risk assessment across the organization. The governing standards used by OCR to determine your risk assessment requirements are FIPS 199 and 200, which detail the classification of your systems, and NIST 800-39 and 30 which detail a core process for risk assessment that drives the common security controls. Remember, unlike most frameworks, HIPAA has made risk analysis a core requirement and a primary violation if it’s not committed.  

Related Videos