myecfirst hitrustlogo PCILogo


HIPAA & HITECH Require Risk Analysis

A key requirement of the HIPAA and HITECH regulations is that covered entities and business associates must conduct a comprehensive and thorough assessment of the potential risks and vulnerabilities to the Confidentiality, Integrity, and Availability (CIA) of all electronic Protected Health Information (EPHI). These HIPAA and HITECH mandates require that organizations must complete a comprehensive and thorough vulnerability assessment on a regular schedule.

OCR Guidance on HIPAA Risk Analysis

The guidance published by the Office of Civil Rights states that, “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational…”. Further, OCR states that, “All EPHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of EPHI. Risk analysis is the first step in that process.”

ecfirst’s bizSHIELDtm program satisfies this HIPAA requirement.

HITECH Meaningful Use Requirements Include Risk Analysis

Demonstrating Meaningful Use of an Electronic Health Record (EHR) requirement tells organizations that they must, “Implement systems to protect the privacy and security of patient data.” Organizations seeking to demonstrate Meaningful Use must, “Conduct or review a security risk analysis and implement security updates as necessary, and correct identified security deficiencies.”

ecfirst’s bizSHIELDtm program satisfies this HITECH requirement.