9 Key Components of HIPAA Risk Analysis

Perhaps you have received notification that you now need to perform HIPAA risk analysis for your business. You may find yourself wondering what risk analysis is and just what it entails. Further, you may wonder if you need to include it in your audit report.

The HHS Security Standards Guide, published through The Department of Health and Human Services (HHS), outlines nine mandatory components of a risk analysis for healthcare organizations and healthcare-related organizations that collect, store, process and transmit protected healthcare information (PHI).

Take a look at the nine components and what you need to include in your risk analysis:

1. The Scope of the Risk Analysis

With this first and crucial component, it is important to look at all potential risks and vulnerabilities to privacy, availability, and integrity of PHI. These possible risks and vulnerabilities include any and all electronic media, such as portable media, desktops, and networks that your organization uses to create, receive, maintain and transmit PHI. Network security between multiple sites and locations is also important to add in the analysis scope since it may include aspects of your HIPAA hosting terms with a third-party or Business Associate (BA).

2. Data Collection

Determine where the PHI goes. Locate where all data is being stored, received, maintained and transmitted. When hosting health information at a HIPAA-compliant data center, you need to get in touch with your hosting provider to learn all locations of your data.

3. Pinpoint and Record Potential Threats and Vulnerabilities

Identifying and documenting all potential anticipated threats to sensitive data and any vulnerabilities that may lead to the leaking of PHI is an important step in risk analysis since they can all allow for HIPAA violations. By picking up on these possible issues, you can ensure that your organization quickly and effectively comes up with a resolution to maintain HIPAA compliance.

4. Evaluate Current Security Climate and Measures

It is important to explore what kind of security measures you are taking to protect your data. Such an evaluation might include technical considerations like encryption, two-factor authentication and any other security methods put in place by your HIPAA hosting provider.

5. Determine the Probability of Threat Occurrence

Look at all likely risks to PHI. In combination with the third tip, looking at potential threats and vulnerabilities, this assessment gives you the chance to make estimates on the likelihood of PHI breaches.

6. Figure Out the Potential Impact of Threat Occurrence

Selecting either the qualitative or quantitative method, evaluate the maximum impact of a data threat to your business. Determine how many people could be affected and to what extent private data could be exposed. Would medical records or both health information and billing combined be at risk?

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


7. Understand the Level of Risk

The HHS recommends taking the average of the assigned potential and impact levels to calculate the level of risk. These documented risk levels should be accompanied by a list of corrective responses that teams might perform to mitigate risk.

8. Prepare Final Documentation

Write up all findings in an organized document. There is no prescribed format from the HHS, but they do require seeing the results of the analysis in writing.

9. Perform Periodic Reviews and Updates to the Risk Assessment

Every risk analysis endeavor must be ongoing, which is one requirement included when it comes to conducting a risk analysis on a regular basis. While the HIPAA Security Rule does not set any concrete required timeline, HHS suggests businesses conduct a new risk analysis any time your organization plans to adopt or implements new technology or business operations. This may include any type of staff turnover or switching data storage methods from in-house to cloud computing.

HIPAA Audit Tips and Best Practices

If it is time for you to perform a HIPAA audit, we thought you might benefit from reviewing our checklist of HIPAA audit steps to ensure compliance. The HIPAA Security Rule recommends the following tips:

  • Document everything, including data management, training, security, and notification plans.
  • Employ a password policy for access.
  • Encrypt PHI while stored in the database during transmission.
  • Use SSL for web-based access for any sensitive data.
  • Limit knowledge of encryption techniques and mechanisms to a select few employees.
  • Make sure to encrypt content like images and scans, making sure there is no personally-identifying information.
  • Use VPN access for remote access only.
  • Describe a disaster recovery plan.
  • Work with Business Associates (BA) that already have BA Agreements in place, which allows your auditor to review each BA’s documents without conducting another audit in addition to the one at hand.

Learn more about Direct Liability of Business Associates Under HIPAA Rules.

Do You Need Additional HIPAA Audit Tips and a Plan for Risk Analysis?

If you still need help figuring out the various HIPAA audit steps and risk analysis, our team at I.S. Partners, LLC. can help. Call us today at 215-675-1400 so we can help figure out just what you need as soon as possible.

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top