I have attached a white paper that was finalized November 16, 2004 on 45 CFR
Administrative Safeguard 164.308 Risk Analysis.  It mainly covers methods to
measure risk.

Risk assessment is just the first step, but very important step, in a HIPAA security
compliance program.  It will be the foundation of your mitigation work plan and
budget development which will need to be monitored and audited.

John Parmigiani, a key person in the drafting of the Final Security Rule, co-
authored this paper, wanting covered entities to understand qualitative and
quantitative.  He knows the importance of understanding and applying the results of
the risk assessment, having spent money on an algorithm risk assessment while at
DHHS and finding it unhelpful.  From my discussions with John, I would say that he

is a strong proponent of the NIST enterprise-wide risk management program. 

I am trying to set up a free interactive audio/video conference for presentation of
the concepts in the attached paper.  If I can beg and borrow the required bandwidth
and conference support, it will be conducted December 17, 2004.  I would say right
now, the chances are 50/50 so you might want to pencil in the date for 2:00 PM ET.
I will let you know if I was successful no later than December 10 and provide
additional information if so.

 

Wishing you a safe and happy Thanksgiving,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.