How to Perform HIPAA Risk Assessment

Srividhya Karthik

Srividhya Karthik

Nov 18, 2022

HIPAA Risk Assessment

The HHS Office of Civil Rights (OCR) provides direction to healthcare entities to implement safeguards for the privacy and security of patients’ protected health information (ePHI) and ensure HIPAA compliance. However the first crucial step in this direction is to identify critical risks and security loopholes.

In the words of Stephane, Nappo, “Even the bravest cyber defense will experience defeat when weaknesses are neglected”

The process of risk assessment is an essential component for companies looking to create a strong security posture. They can help healthcare entities identify vulnerabilities, strengthen their controls, ward off breaches, leaks, and loss of business and even keep bad PR at bay.

In this article, we explain what HIPAA risk assessments are and explain the eight composite steps to effective risk assessment.

What is HIPAA Risk Assessment?

HIPAA risk assessment is an audit process that helps organizations pinpoint security gaps impacting the confidentiality, integrity and availability of PHI. It also helps organizations ensure compliance with HIPAA security rule and HIPAA privacy rule by assessing the effectiveness of physical, technical and administrative safeguards.

The risks and vulnerabilities identified can impact the confidentiality and integrity of the electronic PHI (ePHI) in your environment.

  • Covered entities such as healthcare providers (doctors, hospitals, clinics etc.), health plans, and healthcare clearinghouses that directly deal with sensitive patient health information must conduct HIPAA assessments.
  • Business associates that provide services to covered entities such as medical billing companies, claim processors etc. indirectly deal with or use ePHI. Hence, they are required to comply with HIPAA regulations and carry out regular assessments.
  • HIPAA assessments must be conducted annually; when new technology or significant changes get introduced, such as upgrades in your health information technology systems and process.

Why is HIPAA Risk Assessment important?

HIPAA risk assessment is important because it forms the basis for identifying and implementing safeguards that comply with the HIPAA Security Rule standards. It’s a mandatory HIPAA requirement and can attract fines from the Office for Civil Rights (OCR) for noncompliance; penalties can range from $100 to $50,000 per violation up to a maximum of $1.5 million per year for each violation.

Here are some of the outcomes that get decided based on the security risk assessment (SRA):

HIPAA Risk Assessment

While risk assessment is foundational to the HIPAA Security Rule, it doesn’t prescribe a specific methodology to go about it. Instead, it establishes several objectives you must achieve, no matter the assessment methodology. 

The outcome of HIPAA annual risk assessment should help organizations assess whether an implementation specification or an equivalent measure is reasonable and appropriate.

Read about how Neurosynaptic got HIPAA audit-ready in 2 weeks with Sprinto’s integrated compliance automation platform.

Types of HIPAA risk assessment

HIPAA advocates for various types of risk assessments to ensure airtight security of ePHI and address all concerning risks. Health-tech businesses must perform all of these HIPAA annual risk assessments as each has its specific objective and protection focus.

Broadly there are 3 types of HIPAA risk assessments

HIPAA security risk assessments

The HIPAA Security Rule stipulates the need to test the effectiveness of implemented safeguards for staying on top of risks and vulnerabilities to PHI. As such, the HIPAA security risk assessments require you to ensure:

  • Confidentiality, integrity and availability of sensitive health information by evaluating various risks such as inadequate access controls, unencrypted data and system security vulnerabilities among others.
  • The business associate agreements must communicate expectations of compliance with Security rule. Business associates must also report any incidents of data breach to covered entities for transparency and accountability.

HIPAA privacy risk assessments

HIPAA privacy rule risk assessments assess the flow of PHI across systems and networks both internally and externally to identify potential risks to a patient’s data privacy. Depending on the size and complexity of the organization, a Privacy officer can be appointed to:

  • Ensure adherence to HIPAA privacy rule and develop a privacy compliance program
  • Identify security gaps which can expose the PHI to unauthorized individuals
  • Monitor employee activities and arrange for workforce training
  • Strive for continuous improvement

HIPAA breach risk assessments

HIPAA breach risk assessments are conducted at the time of a data breach whenever a patient’s health information is compromised. The objective is to assess the severity and impact of associated risks and initiate measures for improvement. 

However, if an organization does not perform a breach risk assessment in certain instances, it must notify affected individuals about unauthorized access or or impermissible disclosure.

The best advice is to not skip these assessments and avoid regulatory scrutiny resulting from data breaches. 

Eight steps to performing HIPAA Risk Assessment

HIPAA risk assessments can help medical and healthcare organizations identify risks and map them to the appropriate security measures and controls. HIPAA Security Risk Assessment (SRAs) help organizations reduce the possibilities of ePHI breaches and leaks. 

Here’s an 8-step HIPAA risk assessment guide you can use to help you through the process:

HIPAA Risk Assessment 8 Steps

1. Understand the scope of risk assessment

HIPAA compliance risk assessment, as we mentioned earlier, is a thorough audit of the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI) in your environment.

This includes e-PHI in all forms of electronic media, such as hard drives, CDs, DVDs, smart cards, personal digital assistants, and portable electronic media. And electronic media includes single workstations as well as complex networks connected between multiple locations. 

Therefore, the scope of your organization’s security risk assessment must take into account all of its e-PHI, regardless of the electronic medium or the location of ePHI. 

What Sprinto experts say?

60% of health tech businesses struggle with scope definition and HIPAA risk assessment requirements. Make quick work of your scoping exercise with Sprinto. Speak with our compliance expert now

2. Know your Data

You must identify where identifiable health information is stored, received, maintained or transmitted in your organization. You could review the organization’s past and existing projects, perform interviews, review documentation, and use other data-gathering techniques to gather all information needed for risk assessment. 

The Department of Health and Human Services (HHS) offers examples of questions organizations must ask at this stage:

  • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?

Note: The data on ePHI that’s gathered must get documented.

3. Identify and Document Potential Threats and Vulnerabilities

You must now identify and document the potential threats to ePHI. What are the human, natural, and environmental threats to information systems that contain e-PHI? You must also determine the different threats that are unique to your environment.

You could do this by interviewing your staff that handles ePHI, reviewing documentation, and evaluating past observations, if any, to get an overview of the potential risks.

HIPAA Threats

This step also entails the identification of vulnerabilities that, if triggered, can risk ePHI safety.

How Sprinto can help here:

Sprinto has an in-built library of risks covering most risks faced by cloud-first companies. Simply choose the risks that apply and leverage quantitative security and privacy risk assessments. You will also be able to see a bird’s eye view of the overall risk exposure on the dashboard and manage them centrally from the platform.

How Sprinto can help here

Sprinto has an in-built library of risks covering most risks faced by cloud-first companies. Simply choose the risks that apply and leverage quantitative security and privacy risk assessments. You will also be able to see a bird’s eye view of the overall risk exposure on the dashboard and manage them centrally from the platform.

4. Assess Current Security Measures 

You must now ascertain the effectiveness of your existing security measures to protect ePHI and evaluate whether they are appropriate and effective; if yes, assess whether they are configured and used correctly. These safeguard measures will vary depending on the size and complexity of the organization. 

Don’t forget to document the measures you have already implemented, including your assessment. 

Sprinto’s continuous compliance monitoring capabilities will help you stay on top of security and compliance. The implemented controls are monitored at a granular level and automated alerts are raised for any drifts. The pending controls that must be implemented are highlighted on the health dashboard to give you a quick snapshot of remaining work.

5. Determine the likelihood of threat occurrence and its potential impact

You must now determine the likelihood of occurrence for each identified threat and vulnerability. You could label the possibility of occurrence as high, moderate, or low or assign numbers (1,2 and 3). 

Next, you must determine the potential impact (qualitatively and/or quantitatively) on the confidentiality, integrity, and availability of ePHI if such a threat or vulnerability were to occur.

For instance, it could be unauthorized access, loss of data, and more.

HIPAA Compliance Risk Assessment

The output of this step should be detailed documentation of the likelihood of a threat occurrence and its potential impact on the ePHI. 

6. Determine the Level of Risk and Corrective Actions

The next step is to assign risk levels for all the threat and vulnerability combinations. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and the resulting impact of threat occurrence.

The HHS suggests that you could determine the risk levels based on the average of the assigned likelihood and impact levels. You must now identify the potential security measures that you can implement to reduce each risk to a reasonable level.

Security measures include organization policies, procedural requirements, and specific technical safeguards such as encryption, data backup, and more. 

As is the outcome for each step, documentation of the assigned risk levels and a list of corrective actions you must take to mitigate each risk level is necessary. 

Sprinto has a risk-scoring module with details on impact, likelihood, inherent risk, residual risk and other details along with risk response recommendations to help you navigate these intricacies.

7. Finalize Documentation 

HIPAA places much emphasis on maintaining documentation. So, ensure you document your HIPAA assessment process diligently at every step. The documentation is evidence that you executed the HIPAA risk assessments in all earnest and may stand you in good stead in the event of a breach or a regulatory oversight that shows up in an OCR-led audit of your HIPAA privacy risk and HIPAA security risk compliance.

‘Good faith efforts’ are seen in a good light by the OCR. 

How Sprinto can help here:

Sprinto collects evidence automatically against each corrective action and control to make it easier for the auditor to understand context. The evidence is presented on an independent dashboard for easy collaboration and minimizing time taken for audits.

8. Periodic Review and Updates to the Risk Assessment

The HIPAA security risk analysis process isn’t a ‘one-and-done’ event. While the Security Rules don’t specify the number, risk assessments should be conducted at least once a year or following significant organizational changes, such as the addition of new technologies or business operations, or even a security incident.

For instance, if your covered entity experiences a breach or sees a change in ownership, you must adjust your risk weights and deploy security measures accordingly to ensure ePHI remains protected. If the analysis shows insufficient protection against the newly-added risks, you must implement additional security safeguards in time. 

For a detailed overview, look up HIPAA’s guidelines on the risk assessment tool. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule.

Also check out: How to become HIPAA certified

Automate your HIPAA Risk Assessment with Sprinto

As you would have noticed by now, HIPAA security rule risk assessment is pretty detailed. Lapses in your risk assessment can snowball into breaches and huge penalties if left uncorrected. And that you have to do this assessment each year with the same diligence, if not more, can be overwhelming. 

Sprinto’s compliance automation platform streamlines HIPAA risk management by facilitating the roll out of pre-built HIPAA policies across the organization, enabling scheduled security training, and automating routine security checks and risk assessment activities. You can also capture all the evidence you need without having to sieve through multiple locations. This means your HIPAA implementation is done in weeks rather than months.

Talk to us today to learn more about how Sprinto can help you kickstart your HIPAA compliance journey.


What is the difference between HIPAA risk assessment and HIPAA compliance assessment?

HIPAA risk assessments are focused on identifying potential vulnerabilities affecting ePHI. HIPAA compliance assessments on the other hand evaluate the adherence to HIPAA rules such as HIPAA security rule, HIPAA breach notification rule etc. While the former is an ongoing exercise, the latter is conducted periodically.

Who is responsible for conducting HIPAA risk assessments?

HIPAA risk assessments are the responsibility of HIPAA compliance officers or other compliance officials. In certain instances, organizations may appoint third-party experts for the risk assessment exercise.

Does HIPAA require security risk analysis?

The Security Rule requires covered entities and business associates to undergo risk assessments to determine the risks and vulnerabilities that can impact the confidentiality, integrity and availability of electronic PHI (ePHI) in their environment.  An understanding of the security rules will help you here.

What is HIPAA risk management?

The HIPAA risk management process constitutes the correction action and additional safeguards and security measures that organizations undertake following a thorough HIPAA security risk analysis. Risk management dynamically manages the risks to ePHI while ensuring no HIPAA rule is unmet. 

Srividhya Karthik

Srividhya Karthik

Srividhya Karthik, is a Content Lead at Sprinto, she artfully transforms the complex world of compliance into accessible and intriguing reads. Srividhya has half a decade of experience under her belt in the compliance world across frameworks such as SOC 2, ISO 27001, GDPR and more. She is a formidable authority in the domain and guides readers with expertise and clarity.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.