The Administrative Safeguards provisions in the Security Rule require providers to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular provider, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.  

A risk analysis process includes, but is not limited to, the following activities: 

• Evaluate the likelihood and impact of potential risks to e-PHI
• Implement appropriate security measures to address the risks identified in the risk analysis
• Document the chosen security measures and, where required, the rationale for adopting those measures
• Maintain continuous, reasonable, and appropriate security protections