Development of a Risk Assessment Tool for University of California- Riverside's Healthcare Enterprise

The purpose of this project is to develop a risk assessment tool for the University of California, Riverside (UCR). UCR is health enterprise that manages operations under an environment of innate and uncontrollable risks. Therefore, a risk assessment tool is highly advisable under California State Laws and federal laws. In the case of overlapping laws, federal law will always prevail unless State law explicitly states otherwise. California Health Information Privacy Manual states that California must follow numerous state guidelines and a federal set of guidelines called HIPAA (Health Insurance Portability and Accountability Act of 1996). HIPAA is put in place to protect and serve as an organizational tool to develop a stronger and more secure infrastructure of security measures within healthcare enterprises. Under HIPAA is a Security and Privacy Rule that was implemented by The U.S. Department of Health and Human Services (HHS) and will serve as the basis for the risk assessment tool I developed. The Security and Privacy Rule's main goal is to set a national standard of how electronic protected health information (ePHI) will be appropriately used and disclosed by organizations subject to this rule, also known covered entities. Covered entities include health plans, health care providers and health care clearinghouses unless specifically stated otherwise. Permitted uses and disclosures of PHI or ePHI are outlined in detail and covered entities are expected to follow all aspects of it that pertain to their role within a healthcare system. Under HHS, the Office of Civil Rights (OCR) strictly enforces the Security and Privacy Rules and can issue civil money penalties and/or other major consequences making this a sizable and critical issue in healthcare environments. Each risk and impact must be assessed to determine an overall risk score. This score will then determine what risks need to be immediately addressed and which risks are most critical to UCR. To do this, potential impacts were determined for each section. The impact score can be decided by using a chart that will be discussed in the development section. The likeliness of the risk can be determined by a UCR professional via the provided chart and an overall risk score can be assigned. From here, an action plan can be set and carried out to eliminate possible hazards and imminent risks. Once a Risk Assessment tool is developed, potential risks can be indentified and dealt with appropriately in regard to level of impact and the likelihood of the risk occurring. By reducing risk, a healthcare enterprise can gain greater financial stability, decrease loss and protect vital information that is critical to the success organization.