§164.308(a)(1) critical Severity HIPAA US Federal

HIPAA Security Rule — Risk Analysis

Enforced by: HHS OCR (US)
Current as of March 26, 2013
Plain Language Summary
Risk analysis is the foundation of HIPAA Security Rule compliance. Must be documented, current, and cover all ePHI wherever it lives. Most OCR enforcement actions cite missing or inadequate risk analysis.

A covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Required implementation specifications: Risk analysis (Required); Risk management (Required); Sanction policy (Required); Information system activity review (Required).

Related Enforcement Cases

Advocate Aurora Health — Tracking Pixel HIPAA Settlement ($3M) $3.0M
Banner Health — Network Segmentation Failure HIPAA Settlement ($1.25M) $1.25M