Is a HIPAA Risk Assessment Mandatory? (The Answer Is Yes)

Are you wondering whether or not a HIPAA risk assessment is mandatory? Well, the answer is yes. 

So what is a HIPAA risk assessment? In premise, it's not particular, as the Department of Health & Human Services recognizes that there is no standard for risk analysis.

In this article, we will cover what HIPAA is, and what your risk assessment should consist of.

So keep reading to learn more.

What Is HIPAA?

The Department of Health and Human Services has developed guidelines for the management of patient information. Alongside those standards and guidelines, the department has decided to develop two separate decrees that compliment each other.

And they are the HIPAA Security Rule & HIPAA Privacy Rule. The former is applicable to the patient's right to control their personal health information. It covers the confidentiality and physical security of PHI in all formats, such as oral, paper, and electronic.

The latter deals with the security of electronic PHI that has been received, created, transmitted, or maintained. Covered entities are required to make use of technical, physical, administrative safeguards to protect a patient's ePHI.

CES or covered entities are insurance providers, third-party billing agents, health plans. In addition to that, all business associates have to comply with the guidelines as well. These are third-party individuals or vendors who make use of or come in contact with patient information.

HIPAA does constitute the importance of a mandatory risk assessment, which should be completed by the time of an audit. If an audit occurs, and you have not completed an assessment, you are most likely going to get fined tremendously. The larger your organization, the more PHI is received, transmitted, created—and consequently, the higher your fine bill will be.

What Is A HIPAA Risk Assessment?

As mentioned earlier, the HHS recognizes that there is no standard for risk analysis. This is because business associates and covered entities vary in size, capability, and complexity greatly. 

Nonetheless, the HHS provides the mission of the risk assessment quite clearly. And that's to identify potential vulnerabilities and risks to the integrity, availability, the confidentiality of all PHI that an organization transmitted, receives, maintains, or creates.

In order to accomplish this mission, your organization should:

  1. Determine where PHI is maintained, stored, received, transmitted
  2. Determine potential vulnerabilities and threats
  3. Identify security measures currently in place that safeguard PHI
  4. Determine if these measures are employed appropriately
  5. Identify the likelihood of a threat
  6. Discover the potential impact of a breach 
  7. Classify vulnerabilities by risk level and impact 
  8. Document the results and take action if necessary.

As you can see, a risk assessment is not a one-time thing. Assessment must be held regularly and should be done when new practices have been implemented in the workplace. HHS provides no guidance upon the frequency of review. However, they do suggest that it is to be held at least once a year.

Even though business associates must conduct assessments as well, pertaining to the amendment in the HIPAA security rule, many covered entities and business associates completely forget to conduct an analysis.

A privacy risk assessment is as important as a security risk assessment, but it can definitely take a longer and more involved time, depending on the size and nature of the business.

To complete a privacy assessment, an organization must appoint somebody as a Privacy Officer, whose primary task is to get the bigger picture of how the Privacy Rule will impact the operations of the business. 

After, the officer must map the flow of PHI, externally, and internally, in order to complete a gap analysis. Finally, the implementation and development of a compliance program are second to none. It should include policies that address the potential risks and must be reviewed each time a new technology or work practices are implemented.

Failure to Conduct Assessment is Costly

The implications of fine for non-compliance have always depended upon the number of patients that have been affected by the breach of PHI, as well as the level of negligence that was involved.

Some fines, but rarely any are issued in the "Did Not Know" category of the violation, because there truly is no excuse to not know about the obligation of PHI security.

Most commonly, the fines are issued under the "Willful Neglect" category of the violation, meaning the organization knew or should have known about the responsibility to safeguard patient information.

Some of the largest fines are attributed to the failure of identifying where the risks to the PHI exist, including the record $5.5 million fine against the Memorial Healthcare System.

Nonetheless, after the second round of HIPAA audits, fines can also be issued for potential breaches. These are organizational flaws that have not been uncovered via the risk assessment, or where no analysis has been completed at all. 

Without a risk assessment, not only do you become subject to fine, but you implicate the livelihood of your patients, and that's inappropriate.

HIPAA Risk Addressed

Now that you know about the obligatory nature of a HIPAA risk assessment, you are well on your way to determine how you will approach this year's analysis within your organization. 

In any case, performing this assessment as an internal operation without much preparation and training can lead to substantial fines and issues in the future. In order to mitigate these implicit harms, you can delegate the analysis, documentation, training, and remediation to another party.

If you're interested in becoming fully HIPAA compliant, get in touch with us and we will happily accommodate your needs.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top