We are always surprised to learn how few organizations have had a risk analysis and we even have had clients get audited without having done one. Now they are in a rush to get an ad hoc/band-aid compliance analysis in place while having to do everything else… swimming upstream.
Chris Apgar, a former HIPAA Compliance Officer, has a nice list of things you need to know about risk analysis’
“[...]compliance is not the biggest reason for conducting ongoing risk analysis. The biggest reason is that it can save your business [...] the most critical thing to realize about risk analysis is that it stretches beyond what the regulations require. ‘There are so many other risks: the risk of being sued, of losing your practice, of causing harm to your patients. Yes, doing risk analysis costs time and money, but not doing it is a good way to lose more money or lose your business.’”