How To Identify Your HIPAA Risk Analysis Scope

The HIPAA Security Rule adopts national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is created, received, maintained, or transmitted by a Covered Entity (CE) or Business Associate (BA).

As a CE or BA, you are required to have in place reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the confidentiality, integrity and availability of the ePHI you are entrusted with.

  • Confidentiality: ePHI is not available or disclosed to unauthorized people
  • Integrity: ePHI is not altered or destroyed in an unauthorized manner
  • Availability: ePHI is accessible and usable on demand by authorized persons


CEs, BAs and their subcontractors of ALL sizes or complexities MUST conduct and document a comprehensive enterprise-wise risk analysis of their computer and other information systems used to create, receive, maintain, or transmit ePHI to identify potential risks and respond accordingly; 45 CFR §164.308(a)(1).

Yes, this means you too solo practitioner & solo BA!

Some of you may be solo practitioners in single physician’s offices. Others of you work in clinics, and others of you work in large healthcare organization or even hospitals; the rule will operate differently in each of these environments.

For that reason, the rule does NOT prescribe ANY particular technology, technique, or practice for performing the required risk analysis.

The HIPAA Security Rule is designed to be scalable and flexible.

What does heck does that mean?

There are many ways of performing a risk analysis. There are certain key elements of the risk analysis process; the first thing is to identify your HIPAA Security Risk Analysis scope.

Compliance is different for each organization and no single strategy will serve every CE or BA. There are many ways of performing a risk analysis. However, determining the scope of your risk analysis should be the very first thing completed, otherwise how will you know which elements are completed and which ones have yet to be done?

Scope involves getting information required to start a project, and the features the project would need to meet its stakeholder’s requirements.*

Your HIPAA Security Risk Analysis should encompass the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all the ePHI your organization creates, receives, maintains, or transmits.

This includes ePHI on all kinds of electronic media, not just PCs and servers.

In simple terms, this includes performing a risk analysis; including ALL devices which may contain ePHI, implementing reasonable and appropriate security measures; and documenting and maintaining policies, procedures and other required documentation. Compliance is not a one-time goal, but an ongoing process.

Your risk analysis is part of an ongoing process to provide YOU with a detailed understanding of the potential risks to the confidentiality, integrity, and availability of your patients’ information.

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?




Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!






* Source: