HIPAA Core Policy: Risk Analysis and Management of ePHI   



This policy establishes guidelines for ongoing risk analysis and management of ePHI, which will assist in determining the value of assets and the corresponding exposure to threats and vulnerabilities.

Effective Date: 3/23/2016


Review/Revised Date: 3/23/2016


Category: Ethics and Integrity


Policy Owner: Provost

Policy Contact: Chief Privacy Officer



1. PURPOSE: To establish policy for risk analysis and management of ePHI. Information produced during the risk analysis will be utilized to determine and manage countermeasures critical for assurance of our ePHI resources. Risk management is an ongoing process to determine the value of assets and the corresponding exposure to threats and vulnerabilities.

2. PHILOSOPHY: Security of our ePHI resources require an effective risk management program which includes continual assessment and the acceptance or mitigation of discovered risks. 

3. APPLICABILITY: This policy applies to all UAB Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, other UABHS managed entities that may be added from time to time, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions, UAB School of Nursing, School of Education Community Clinic, UAB Health Plans, and other covered entities that may be added from time to time. For purposes of this policy, UAB Covered Entities shall be referred to as "UAB". 


4.1. Definitions:

4.1.1. Information Security Officer :A designated individual responsible for the management of information security. Currently both the Campus and the UAB Health System operate information security offices.

4.1.2. Electronic Protected Health Information (ePHI): PHI in electronic form.

4.1.3. HIPAA Security Officer: A designated individual responsible for HIPAA related information security issues.

4.1.4. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.5 Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact on confidentiality, integrity and availability of confidential information.

4.1.6 Risk Analysis: An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by a UAB Covered Entity.

4.1.7 Risk Management: The implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to: Ensure the confidentiality, integrity, and availability of all ePHI the UAB Covered Entity creates, maintains, receives, or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rules; Ensure compliance with the HIPAA Security Rule and HITECH Act; and Ensure Meaningful Use requirements are met.


5.1. Covered entities who maintain or transmit ePHI shall:

5.1.1. Conduct and document a thorough risk analysis a minimum of every two years in coordination with the HIPAA Security Officer and the Entity Security Coordinator. Exceptions to the two year analysis include: When changes to the environment could affect the confidentiality, integrity, or availability of sensitive or business-critical information, a risk assessment or impact analysis must be conducted. The occurrence of an event or incident warranting the reevaluation of risks requires an immediate risk assessment.  Regulatory requirements, such as as assessment performed of a Meaningful Use attestation period.

5.1.2. Conduct and document risk analysis, consisting of the following minimal components: Asset inventory, Data criticality analysis, Threat assessments, Determination of risk exposures, and Development of a risk mitigation strategy. Maintain a written record of the analysis/assessment for 6 years.

5.1.3. Submit the risk assessment findings and the mitigation strategy to the appropriate data security office within 30 days of concluding their assessment. The appropriate information security office shall forward a copy of the risk assessment findings to the HIPAA Security Officer.

5.1.4. In collaboration with the appropriate information security office, idocument risk acceptance decisions, and implement measures to remediate vulnerabilities and sufficiently reduce risk exposure within  a reasonable timeframe after concluding their assessment.

5.1.5. Document the remediation activities.

5.1.6. Submit the risk remediation plan to the appropriate information security office who shall forward a copy of the mitigation plan to the HIPAA Security Officer.

5.1.7. Provide written exemption or extension requests for any vulnerability that, due to business or technology constraints, cannot be remediated in the allotted time. All such requests must be approved by the appropriate information security office, HIPAA Security Officer and Risk Management.

5.2. Data produced from the risk assessment shall be kept confidential.

5.3. Violations of these standards may result in disciplinary action, up to and including, dismissal.

5.4. Business Associates must comply with risk analysis and risk management requirements contained in the HIPAA Security Rule. Business Associates who do not meet those requirements could be subject to breach of contract penalties, possible legal prosecution, and other legal remedies/ramifications as available to UAB.

5.5. All business associates shall be required to sign a business associate agreement approved by UAB Legal Counsel.


7. SCOPE: This policy applies to all UAB entities covered under HIPAA and systems that maintain ePHI, and all Business Associates. 


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.