Many doctors and covered entities assume risk analysis and risk management refer to the same process. While they share some similarities in terms of goal, however, they are two unique steps towards achieving compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. To learn more about the differences between risk management and risk analysis, keep reading.
The HIPAA Security Rule contains requirements pertaining to risk analysis and risk management. As you may already know, the Security Rule only affects Electronic Protected Health Information (EPHI), not paper/physical PHI. Therefore, both risk analysis and risk management only involve EPHI. When paper forms of PHI are being accessed or otherwise used, covered entities are not required to conduct either a risk analysis or subsequently risk management.
A risk analysis involves the assessment of potential security risks and vulnerabilities that could affect the confidentiality, integrity, and/or availability of EPHI stored by a covered entity or one of its business associates. While HIPAA doesn't include a step-by-step format for conducting a risk analysis, a typical analysis may consist of checking where EPHI is stored, how it is accessed, whom can access it, and how difficult it would be for an unauthorized individual to access it.
The Department of Health and Human Services (HHS) says on its website that a thorough risk analysis would also consider “relevant losses that would be expected if the security measures were not in place.” Even if a covered entity has covered all of its bases by implementing the appropriate safeguards, it must still consider the possibility of a breach and its ramifications.
On the other side of the fence is risk management, which differs from its risk analysis counterpart in the sense that it's done after an analysis. Once a covered entity has identified potential security risks and vulnerabilities within its system, it would perform risk management to, well, mitigate the potential damage posed by those risks.
So, how is risk management performed? It involves the implementation of Technical, Administrative and Physical safeguards, as well as other security measures in an effort to significantly reduce the covered entity's risk of having EPHI compromised. Risk management is conducted in the wake of a risk analysis, with covered entities taking measures to better protect their EPHI from unauthorized use or access.