Risk Analysis and Management
A risk analysis process includes, but is not limited to, the following activities:
1. Evaluate the likelihood and impact of potential risks to e-PHI.
2. Implement appropriate security measures to address the risks identified in the
3. Document the chosen security measures and, where required, the rationale for
adopting those measures.
4. Maintain continuous, reasonable, and appropriate security protections.
Risk analysis should be an ongoing process: (A service provided by Chel-Mikk)
1. The covered entity regularly reviews its records to track access to e-PHI and detect
2. The covered entity periodically evaluates the effectiveness of security measures
that have been put in place. This includes updating these security measures.
3. The covered entity regularly reevaluates potential risks to e-PHI. Physical Safeguards
Facility Access and Control. A covered entity must limit physical access to its facilities
while ensuring that authorized access is allowed.
Workstation and Device Security.
1. A covered entity must implement policies and procedures to specify proper use of and
access to workstations and electronic media.
2. A covered entity also must have in place policies and procedures regarding the
transfer, removal, disposal, and re-use of electronic media, to ensure appropriate
protection of electronic protected health information (e-PHI).
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Chel-Mikk provides services to cover all areas of HIPAA/HITECH Compliance.