Managing Healthcare ePHI Security Risks: A Primer for CEOs

Attention CEOs!  We recommend that you study the Health Data Management slideshow entitled:  “What Healthcare CEOs Need to Know About IT Security Risk,” which is available online at:  This slideshow is based on a June 2014 Redspin White Paper entitled:  “What Healthcare CEO’s Need to Know about IT Security Risk:  When Saving Costs Can Be Costly,” which can be accessed at:


HIPAA Safeguard here is focusing on the content of the 3rd of nine slideshow screens, entitled “Compliance”:


“Compliance and Complacency


“Most security assessments are inadequate in scope or the resultant migration plan was not implemented, and more than half of hospitals conduct their assessment in-house. Or, a firm is hired to conduct a “desk audit” that is little more than a checklist. Either way, assessments focused on complying with regulations are not sufficient and will not withstand an audit. ‘CEOs should know who within the organization actually conducted the assessment and what scope of work they used. Was the assessment conducted by a junior person or a full cross-functional team?’”


The Office for Civil Rights (OCR), the HIPAA/HITECH Act privacy, security, and breach notification enforcement arm of the Department of Health and Human Services (HHS), is expected to initiate compliance audits in the near future, and likely will focus on the foundation of a successful risk management program, the risk analysis.  Under the HIPAA Security Rule, a “reasonable and appropriate” security analysis has been developed by the National Institute of Standards and Technology (NIST), entitled:  “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” (NIST Special Publication (SP) 800-66 Revision 1, October 2008), which can be accessed at:  This publication outlines nine steps for accomplishing a risk analysis, beginning with defining a scope and ending with a set of findings that will support a risk mitigation strategy and lead to development of safeguard policies and procedures.


HIPAA Safeguard has developed a plain language, understandable Risk Analysis Template based on NIST risk assessment protocols and guidance presented in SP 800-66 Revision 1 and other NIST publications.  The Risk Analysis Template is organized for an outside consultant or for key personal in a covered entity or business associate to assess the security and potential gaps in security that could be exploited by threats to or vulnerabilities in the organization’s electronic systems, devices, and media that contain electronic protected health information (ePHI).  The Risk Analysis Template is presented in nine tables or sets of tables, which, when completed, provide a covered entity or business associate with information to implement a risk mitigation strategy and strengthen its safeguard policies and procedures.


The HIPAA Safeguard Risk Analysis Template is included at no charge with a purchase of the HIPAA Safeguard Policies and Procedures on this site (, and will be sent to the purchaser via separate email download at the purchaser’s designated email address after purchase fulfillment. 


HIPAA Safeguard Policies and Procedures covers over 100 of the HIPAA Privacy Rule Administrative Requirements, HIPAA Security Rule standards and implementation specifications, and HITECH Act Breach Notification requirements that a covered entity or business associate can tailor to its specific operational business requirements based on findings from its risk analysis.  Each of the affordable HIPAA Safeguard products:  Risk Analysis Template and Policies and Procedures, should provide a degree of comfort to the chief executive of a covered entity or business associate because those products address each of the current OCR safeguard audit protocols, which have two components:  (1) “Inquire of management” whether the relevant regulation has been implemented, and (2) “Provide the evidence”.  Visit the OCR Audit Program Protocol Website, which is accessible at:, to get a flavor of compliance audit inquiries.  Also, visit the OCR Resolution Agreement Website, which is accessible at:, to see Resolution Agreement and embedded Corrective Action Plan examples of the types of onerous costs and time requirements organizations can experience when found to be noncompliant.







  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)