Understanding HIPAA Risk Analysis

The Health Insurance Portability and Accountability Act (HIPAA) establishes standards to protect the sensitive data of patients. Health care entities are enabled to establish policies and procedures to meet the needs of the business operations while protecting the private health information (PHI) contained within their facilities. To determine and maintain these standards organizations will engage in a HIPAA risk assessment.


HIPAA does not maintain standards on how a risk assessment is completed, as all health care provider organizations are different from one another, they do mandate that any practice that deals with PHI participate in a risk assessment. These risk assessments “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the organization.”[1]


There are nine mandatory components* healthcare-related organizations must include in their risk analysis.

  • Scope: Full inventory of electronic media used within the business to manage and maintain electronic PHI (ePHI).
  • Data Collection: Define where ePHI is being stored and maintained.
  • Threats and Vulnerabilities: Document anticipated threats or leaks of ePHI and sensitive data.
  • Current Security Measures: Define the type of security used to protect data (i.e. two-factor authentication).
  • Threat Occurrence Likeliness: Probability and potential risks to ePHI.
  • Threat Occurrence Impact: Evaluate the methods used to assess the maximum impact of a data threat to the business.
  • Level of Risk: Combine both threat occurrences (listed above) to determine the organization’s total level of risk.
  • Documentation: Complete the analysis by drafting up the full evaluation in a professional document.
  • Review and Updates: Perform updates and review the analysis regularly, including any time new technology is introduced to the business, data storage is changed or updated, or security management/administration turnover takes place.


*Fully explore the Security Risk Assessment Tool by visiting HealthIT.gov.


While the HIPAA risk assessment is necessary for your healthcare-related business, it is important to remember that this type of analysis is a marathon, not a race. To be successful, schedule time each week, or each month, to devote to HIPAA compliance. Reach out to Human Capital to learn more about HIPAA compliance or to see how we can help keep your entire organization compliant.



[1] HHS.gov: Guidance on Risk Analysis

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

More To Explore

Young African American couple meeting with financial advisor to plan retirement

An Employer’s Guide to Retirement (401(k)) Plans

Despite the circumstances surrounding the financial impact COVID-19 has taken on businesses, families, and individuals across the globe, retirement is still an integral benefit that