The Centers for Medicare & Medicaid Services has released a security risk analysis tip sheet to help eligible providers conduct security risk analyses, required not only pursuant to HIPAA's security rule, but also to meet both Stages 1 and 2 of Meaningful Use.
The tip sheet points out that while there are no "best practices" to conducting one, most risks analyses and risk management programs have steps in common, including review of existing infrastructures, identification of potential threats to privacy and security, and prioritization of risks. The tip sheet also dispels several myths about security risk analyses, such as relying on assurances from one's electronic health record vendor. Tip sheet (.pdf)