The American Recovery and Reinvestment Act of 2009 under the??Administrative Safeguards provision states that all covered entities are required to perform?risk analysis?as part of their security management processes. The risk analysis and management provisions of the Security Rule help determine which security measures are reasonable and appropriate for a particular covered entity. Risk analysis affects the implementation of all of the safeguards contained in the Security Rule.?Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,?periodically evaluates the effectiveness of security measures put in place,?and regularly reevaluates potential risks to e-PHI.