Elements of a risk analysis include:

Defining the scope of the analysis to include all ePHI the CE creates, receives, maintains and transmits, and documenting where the ePHI is located Identifying and documenting reasonably anticipated and potential threats specific to the CE's operating environment and vulnerabilities which, if exploited by a threat, would create a risk of an inappropriate use or disclosure of ePHI Assessing existing security measures Determining and documenting the potential impact and risk to the confidentiality, integrity and availability of ePHI Periodically reviewing and updating the risk analysis