hipaa risk assessment

How To Interpret Your HIPAA Risk Analysis Results

Is your business meeting the Health Insurance Portability and Accountability Act (HIPAA) rules? Have you completed a HIPAA risk assessment and HIPAA risk analysis? Organizations that fail to comply put patients’ protected health information (PHI) at risk.

Failure to adhere to HIPAA standards carries hefty fines. The Office for Civil Rights (OCR) charged the largest financial penalty in 2018. Anthem paid $16 million for failing to detect PHI integrity risks.

All businesses that handle PHI must adhere to the HIPAA and Privacy Rule mandates. Keep reading to learn about ensuring your compliance.

Who Must Be HIPAA Compliant?

HIPPA rules apply to all providers who create, store, or send PIH electronically (ePHI). This includes but isn’t limited to:

  • Chiropractors
  • Clinics
  • Dentists
  • Doctors
  • Nursing Homes
  • Pharmacies

Covered entities (CEs) or business associates (BAs) must also meet all standards. Examples include health insurance companies, HMOs, and company health plans.

Government-financed Medicare, Medicaid, and military or veteran health plans are included. Healthcare clearinghouses that process nonstandard health information must also comply. This involves entities that send or receive standard electronic format or data content.

HIPAA compliance

Today, all entities must meet HIPPA rules as well as subsequent amendments. This includes the Health Information Technology for Economic and Clinical Health (HITECH) Act.

These requirements are intentionally vague to increase flexibility among different CEs and BAs. The goal is to keep PHI secure and prevent breaches.

Is A HIPAA Risk Assessment Required?

The introduction of electronic health records (EHRs) has created potential ePHI risks. HIPAA Section 164.308(a)(1)(ii)(A) requires businesses that handle PHI to conduct risk assessments.

The purpose is to check for vulnerabilities, integrity, and availability of ePHI. This allows organizations to identify and correct deficiencies before a breach occurs.

How to Complete a HIPAA Risk Assessment

To make sure that you don’t miss any key points, use a HIPAA compliance checklist. The following provides a sample that you can use.

  • Decide if the HIPPA, Privacy Rule, and HITECH Act apply to your organization
  • Find out which yearly audits and assessments apply to you
  • Complete all required assessments and audits, review the results, and record deficiencies
  • Document all correction plans, actions, and follow-up reviews
  • Name a HIPAA Compliance, Security, and/or Privacy Officer to conduct staff training
  • Document staff training on HIPAA policies and procedures
  • Document staff training on recognizing, responding, and reporting breaches to OCR
  • Practice due diligence in assessing all BA’s HIPAA compliance and yearly reviews

Organizations must chronicle their HIPAA-related policies and completion of risk assessments. They need to document reasons for not correcting deficiencies.

If a breach occurs, all this data will be part of the investigation. OCR can enforce fines and penalties whether non-compliance was unintentional or intentional.

HIPAA Risk Assessment Results

The findings from your risk assessment serve as a road map to fortify your security. Failing to comply with HIPPA rules can cost large fines even if there’s no PHI breach.

If a breach occurs, you must follow HIPAA protocols for notifying OCR and patients. You may also face criminal charges or civil action lawsuits.

Ignorance of the HIPAA rules isn’t a valid defense. Yet, at times the business’s due diligence may affect the fine amount. To ensure you’re compliant, seek advice from a HIPAA professional.

Is a HIPAA Risk Analysis Required?

The U.S. Department of Health and Human Services (​HHS) mandates risk analyses. It’s advisable to hire a HIPAA risk analysis service. This increases your protection since breaches have substantial consequences.

Not only is patient PHI in danger, but so is your business’s reputation. Current or potential clients may leave upon hearing that you failed HIPAA compliance. As mentioned, you can face fines, penalties, and criminal charges.

The professional auditor will review your risk assessment report and training documentation. They’ll give suggestions for improvement and even speak with your staff.

HIPAA doesn’t provide specific instructions for how to conduct a risk analysis. It’s key that your analysis addresses your unique needs and vulnerabilities. Also, different size businesses have different resources available.

The bottom line is to keep complete records of your risk analyses and improvements.

How to Conduct a HIPAA Risk Analysis

Many facilities use the National Institute of Standards and Technology (NIST) guidelines. In general, NIST is only required for federal agencies. Yet, this offers a good industry standard for securing ePHI.

The Security Rule applies to all ePHI developed, received, stored, or transmitted. Businesses that perform these tasks must perform risk analyses to identify vulnerabilities. Next, they need to develop security measures to provide reasonable protection against threats.

The following provides an example of a risk analysis checklist.

  • Catalog the ePHI created, received, stored, or transmitted by your business
  • Identify all external CEs and BAs that handle your client’s ePHI
  • Identify environmental, human, and natural security threats to protecting ePHI

Following the risk analysis, you should analyze the findings and take corrective actions.

HIPAA risk analysis results

Now that you’ve identified your vulnerabilities, it’s time to work on process improvement. The goal is to reach substantial compliance. Thus companies should use the finding to do the following:

  • Develop appropriate staff screening procedures
  • Determine what data needs a backup and how to accomplish this
  • Determine if data need encryption and how to implement this process
  • Identify data that needs authentication in certain situation to protect its integrity
  • Develop a plan for protecting ePHI during transmission

The NIST Rule labels some findings as “addressable” instead of “required”. Addressable specifications aren’t optional.

Yet, businesses can decide it’s not appropriate or reasonable to put these tasks in place. In this case, they must document their rationale and adopt equivalent measures.

Do You Need Help to Ensure HIPAA Compliance?

Healthcare providers, facilities, CEs, and BAs must ensure the protection of all PHI. This includes completing a regular HIPAA risk assessment and HIPAA risk analysis. HIPAA Security Suite provides these services to help ensure your compliance.

Our risk assessments include environmental factors such as if you’re in a flood zone. We examine firewall and mobile device security and over a hundred other items.

Our team has developed HITECH Act compliant manuals and document sets for your use. HIPAA Security Suite also provides training for your staff and BAs. Contact us today to ensure you meet all HIPAA standards.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top