Risk Analysis for HIPAA Compliancy

This document describes the policy and procedure established by a small hospital, GIAC Health, for meeting the Risk Analysis Administrative Safeguard requirement for HIPAA compliancy. It also includes a brief explanation of GIAC Health's interpretation of the Risk Analysis required implementation standard. GIAC Health is an independent, eighty-bed hospital with a single location, specializing in acute care and sports medicine. Nearly seventy-five resident physicians and nurses (across three shifts) use the Emergency Department Management application (EDM) from MeditechTM. The EDM system runs entirely on Microsoft Windows 2000 servers and is the single, central location for patient information (electronic Protected Health Information). The MIS department is small and is directed by the CIO who is also the assigned HIPAA Security Officer. The Network Manager is responsible for the infrastructure gear for the LAN as well as Internet access and the two Linux boxes. The System Administrator is responsible for the Active Directory domain and the Windows servers including the Meditech system and data backups. A single PC Support Technician operates the help desk and is responsible for enduser support, PC provisioning & support, anti virus and other non-Meditech applications running on the PCs.