Blog Home Page Next article:

HIPAA Understood: 164.308(a)(1)(ii)(B) Risk Management

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.

Risk Management is a crucial element to any well-oiled security program and most regulations touch on this is some fashion. HIPAA addresses this requirement with the following rule:

164.308(a)(1)(ii)(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).”  

So, this rule is straightforward – you need to maintain a security program which should include some or all the following areas:

  • Vulnerability Management
  • Patch Management
  • Asset Management
  • Incident Response
  • Security Event Management/ Security Event Monitoring

Where HIPAA is not specific, which is almost every rule, you should fall back on industry best practice. In these instances, you should perform your vulnerability and patch management processes monthly. It is important to remember that you must include all instances of PHI/ePHI within your organization or that your organization is responsible for.

There are many ways to approach risk management and you should strive to find the one that is most effective for your organization, just ensure you are including all instances of PHI/ePHI at minimum but I highly recommend you expand the scope to all assets within your organization that could have a negative impact to your organization if compromised by a vulnerability.