A HIPAA risk analysis is different than a risk assessment. A risk analysis requires you to look at the devices within you organization that store ePHI while a HIPAA risk assessment requires you to look at the HIPAA regulatory act requirements during your assessment. Both are used to determine risk factors, gaps, which will call for remediation but each requires you to look at different aspects of your organization.
The Compliance Risk Analysis will require you audit your organization on the following part of the HIPAA rule:
HIPAA Risk Analysis Scope:
Following steps should be followed for HIPAA Risk Analysis project:
Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results and store in case of audit
After you have determined all devices in your organization that stores ePHI you will need to score each device as to the risk that it could be compromised. According to you score what is the appropriate safeguard you should have on your device. If it is lacking you will assign a gap to this device that you will later need to remediate and track the outcomes. Expertise and knowledge of device protection is critical when performing this process.