Document Your Process, Findings, and Actions
The HIPAA Security Rule requires you to document your risk analysis and HIPAA-related policies, procedures, reports, and activities. Also, if you are attesting for Meaningful Use, you are required to retain all records that support attestation.
Review Existing Security of ePHI (Perform Security Risk Analysis)
In the risk analysis process, you assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The findings inform your risk mitigation strategy. A professional can plan and implement your risk analysis, but you will need to oversee the process. See the SRA Tool for guidance.
Develop an Action Plan
Using the results from your risk analysis, discuss and develop an action plan. Learn more in Chapter 6 of the Guide [PDF – 569 KB].
Source: HealthIT.gov