The U.S. Department of Health and Human Services (HHS) says, “Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” To be compliant, it should be conducted or reviewed annually and revisited any time there is a change in the operating or technical environment. Conducting a HIPAA Risk Assessment supports awareness and development of data security programs, allowing you to achieve business goals.
CynergisTek uses a NIST-based methodology when conducting a HIPAA Risk Assessment, as OCR’s guidance on requirements for risk analysis points to recommendations and guidelines established by NIST for conducting a risk analysis. CynergisTek’s stand-alone assessment combines several of our individual security and technical tests into a single engagement aimed specifically at addressing the requirement for a risk assessment and ongoing risk management. We also offer a HIPAA Risk Assessment as part of a comprehensive compliance management program, Compliance Assist Partner Program (CAPP).