hipaa risk assessments

How To Prepare for HIPAA Risk Assessments

Increasingly, healthcare providers are learning to utilize the extensive benefits of online tools like patient portals. These tools enable more efficient communication between providers and patients. Moreover, they allow patients increased access to medical records and test results.

These are just a few of the benefits that providers have come to recognize. However, there is a downside. When you transmit data electronically, your office becomes more prone to data breaches. 

For this reason, healthcare companies must conduct HIPAA risk assessments on their data. These assessments help determine the safety of your patient’s protected health information (PHI). 

A HIPAA security compliance assessment is a thorough analysis. If you’re not sure how best to prepare for that assessment, read the guide below! We’ve assembled some tips to help you prepare for a HIPAA risk assessment. 

Preparing for HIPAA Risk Assessments: Determining PHI Access

When preparing for your HIPAA risk assessment, start by determining what electronic PHI (ePHI) you have access to. For clarity’s sake, we’ve included a brief reminder as to what PHI could encompass.

PHI can be:

  • Past, present, or future physical health condition of a patient
  • Healthcare services rendered to a patient
  • Past, present, or future healthcare payments made by the patient for received healthcare services

With these points in mind, determine how much of this information you have access to. As you go about this task, ask yourself questions like these. 

Where does your organization store ePHI? What systems do you use to transmit that data, and where do you send it?

Generally, you can get this information by asking your employees and reviewing documentation from your previous HIPAA risk analysis. Once you complete this portion of your assessment, document your findings.

What Security Measures Do You Use?

Once you’ve learned what ePHI you have access to, investigate the security measures you use. Get started with this process by documenting your practice’s current efforts to protect your PHI. 

As we’ve mentioned before, storing and transmitting PHI through electronic means brings electronic dangers. Hackers can break through weak systems to steal data, using it for all kinds of illicit purposes. 

As such, you have to ensure you have proper digital strongholds in place to protect the data. There are several ways to do this. One way to start is by giving your Microsoft Word documents password protection. 

Adding a password to these documents is a simple yet effective way to keep them safe. You can also encrypt your data with Public-Private keys or Symmetry keys to ensure only you and your patients can access the data. 

A final way to protect your data includes the use of Virtual Private Networks, popularly known as VPNs. VPNs are an excellent way to keep data private between you and your patients. 

If you’re not currently utilizing these tools, there’s a high likelihood that your electronic data isn’t safe. Look into ways you can use these tools to protect your data from prying eyes. 

Where is Your Organization Most Vulnerable?

As you continue to examine your practice and your systems, determine where your data is most unprotected. What gaps exist in your system that could allow somebody to break through? With the information presented in the last section, you should have a clear idea of where to begin your search.

When you detect a gap, take a moment to consider the likelihood of a threat. Is there a significant possibility that somebody could breach this gap to steal HIPAA-protected data? 

As you make these discoveries, make sure you document them well. It may seem like a chore, but you’ll be thankful for the documentation when your following assessment comes. 

Determine the Level of Risk

In the last section, we discussed catching gaps in the system and assessing the likelihood of a data breach. Now, we’ll discuss how to determine the level of risk.

Classifying the level of threat a gap poses for your business depends on two factors. First, you must consider the likelihood that somebody could use this gap to breach your data. Second, you must determine whether such a breach could cause substantial harm to your practice. 

Let’s go back to the ePHI protection we named a few sections back. Imagine that you have a password assigned for each of your documents, but it’s a simple password to guess (like 123).

The probability of somebody guessing that password is likely high. If you have no other protections in place, somebody could alter, copy, and distribute this information with ease. As such, it constitutes a high-level threat to your HIPAA security compliance. 

Now, let’s imagine that you’ve left your documents without a password. However, every file has encryption, VPN protection and is saved as a “Read Only” file.

The chances of somebody breaking into these documents are drastically lower now. Moreover, even if they did break through the security, they would still be unable to edit the data they access. As such, this possibility constitutes a low-level threat. 

Even so, consider taking corrective actions to minimize threats. To get started on this, document your assigned threat levels. From there, determine what steps you’ll take to reduce the risk. 

Finalize Your Documentation

Hopefully, you’ve heeded our advice about documenting all your information as you go. If so, then excellent! All you need to do is finalize your documentation. 

Decide on a format that allows you to outline your information clearly. This data should include what PHI you have access to, your weaknesses and vulnerabilities, and the steps you’ll take to minimize PHI threats. 

Find a HIPAA Security Compliance Service

Conducting HIPAA risk assessments is a necessary practice for keeping your data safe. If you’re unsure of the best way to go about this analysis, consider hiring a HIPAA security compliance team to help. 

We at HIPAA Security Suite offer a host of services to keep your medical practice HIPAA compliant. If you work with us, you’ll receive up-to-date manuals on HIPAA policy, comprehensive staff training, risk assessments, and more. Schedule a consultation today!

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top