HIPAA Risk Analysis

Episode 27: Know The Rules! HIPAA Risk Analysis Common Steps

Performing a HIPAA Risk Analysis

These days, protected health information (PHI) is stored electronically, so that means the risk of a breach to your PHI is very real. Your HIPAA Risk Analysis helps you measure the impact of threats and vulnerabilities that pose a risk to the confidentiality, integrity and availability to your patients’ PHI.

While there is no single method or “best practice” that guarantees compliance; however, most risk analysis and risk management processes have these steps in common.

Here are some things to remember as you conduct your risk analysis:

  1. Define the scope of your risk analysis and collect data regarding the PHI pertinent to the defined scope.
  2. Identify potential threats and vulnerabilities to patient privacy and to the security of your patient’s PHI.
  3. Assess the effectiveness of implemented security measures in protecting against the identified threats and vulnerabilities.
  4. Determine the likelihood a particular threat will occur and the impact such an occurrence would have to the confidentiality, integrity and availability of PHI.
  5. Determine and assign risk levels based on the likelihood and impact of a threat occurrence.
  6. Prioritize the remediation or mitigation of identified risks based on the severity of their impact on your patients and practice.
  7. Document your risk analysis including information from the steps above as well as the risk analysis results.
  8. Review and update your risk analysis on a periodic basis.


The HIPAA Security Rule allows you to tailor security policies and procedures, and technologies for safeguarding ePHI based on your medical practice’s size, complexity, and capabilities—as well as its technical, hardware, and software infrastructure.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

HIPAA Risk Analysis




Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

5 thoughts on “Episode 27: Know The Rules! HIPAA Risk Analysis Common Steps

  1. […] to allow for a range of implementations, from minimal to more stringent procedures based on the risk analysis performed by the entity and role of the potential employee. Examples of potential screening […]

  2. […] Business Associates (BAs) are required to perform a HIPAA risk analysis to identify their potential Administrative, Physical and Technical security risks to electronic […]

  3. […] today’s “Know The Rules!” I provide a general understanding of risk analysis and risk management concepts and the HIPAA Security Management Process, the first standard in […]

  4. […] to perform an evaluation of their security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to their […]

  5. […] What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management […]