what does hipaa stand for

What Is a HIPAA Security Risk Assessment and Do I Need One?

Patient health data breaches can cost providers millions of dollars in HIPAA fines, and you aren’t the only ones. Health information hacks can lead to negative financial and personal consequences for patients, too. 

This is why it’s so important to perform a HIPAA security risk assessment. What are the risk assessments and who needs to conduct them? We’re answering both of those questions and more in this guide, so check it out.  

HIPAA Security Risk Assessment: Explained

The US Federal government passed the HITECH Act in 2009. With this new law, electronic medical records (EMRs) became commonplace for healthcare providers. 

Yet, storing patient records electronically has also come with compliance issues. That’s why the HIPAA Security Rule came about. Keep reading to learn more about the Security Rule and how it defines security risk assessments. 

The HIPAA Security Rule

The HIPAA Security Rule is a mandate that healthcare providers and other institutions must follow. Of course, this rule only applies to businesses with access to electronic patient health information (ePHI).

The Security Rule offers guidance on how to safeguard ePHI. These safeguards include:

  • Physical safeguards
  • Technical safeguards
  • Administrative safeguards

Physical safeguards are those that protect systems that store ePHI. For example, installing security cameras at a private practice is a physical safeguard. Similarly, a fire alarm protects the same systems from damage in case of disaster.

Technical safeguards are policies and procedures protecting the use and accessibility of ePHI. This may include encryption when transferring ePHI across your organization. Enforcing passcodes can also ensure ePHI doesn’t wind up in the wrong hands.

Finally, administrative safeguards are those that monitor the human element of risk. Administrative safeguards include policies surrounding employee hiring and training processes. This also applies to enforcing ePHI security agreements with business partners who may have access to ePHI.

The Security Management Process Standard

Within the HIPAA Security Rule, the Security Management Process standard governs risk assessments. The standard applies to any business that deals with ePHI. These institutions must have policies and procedures in place to protect ePHI. 

Any policies and procedures should cover the full gamut of risk. That means they’ll detail how you will detect, contain, correct, and prevent ePHI breaches.

The Security Management Process standard also gives four requirements for assessing and responding to risk. One of these requirements is that businesses implement a risk analysis procedure.

Required Risk Analyses

The Security Management Process standard held within HIPAA’s Security Rule requires risk analyses

The purpose of a HIPAA risk analysis is to identify potential risks to ePHI. This includes any risks that might impact the integrity, confidentiality, or availability of ePHI. Keep in mind that risk analyses apply to ePHI stored within the organization and without. 

Once you’ve conducted this risk analysis within your organization, you aren’t done yet. You must then come up with reasonable and appropriate measures to remedy those risks.

This may include identifying where you need to backup data. Or it may mean figuring out where to add passcode-protection or whether you need to use encryption.

Who Needs a HIPAA Risk Analysis?

The HIPAA Security Rule and its standards are applicable to covered entities (CEs) and their business associates (BAs). 

What does that mean? And how often do these institutions have to perform security risk assessments? We’re about to tell you the answer to both of those questions, so keep reading.

Covered Entities

According to HIPAA, covered entities deal directly with ePHI. These may include healthcare providers, insurance companies, and banks’ clearinghouses. Of course, the Security Rule only applies if these entities touch ePHI. 

HIPAA recommends that CEs perform at least one risk assessment per year. Still, there are instances where additional yearly risk assessments are necessary. For example, you should run a new security risk assessment any time there’s a new healthcare regulation. 

Business Associates

Business associates are non-healthcare industry professionals with access to ePHI. These professionals may serve CEs as third-party vendors. BAs include technology vendors, consultants, accounting firms, and attorneys. 

BAs are also required to conduct annual security risk assessments under HIPAA’s Security Rule. Again, more than one yearly risk analysis may be necessary. For example, if the BA failed a previous risk assessment or has recently undergone a merger or acquisition, a second risk analysis may be proper. 

Three Questions To Ask During a Risk Assessment

The most foolproof way to ensure your risk analysis goes off without a hitch is to use the HHS’s Security Risk Assessment (SRA) Tool

Otherwise, here are three questions to start with when running your first risk analysis. 

Where Are Your Internal Sources of ePHI?

When conducting a security risk assessment, the first step is to locate all sources of ePHI. You should understand how and where you store ePHI. Once you’ve done that, you need to identify how your institution creates, receives, stores, and transmits ePHI. 

What Are Your External Sources of ePHI?

External ePHI is any patient health record your business associates touch. This includes any ePHI your BAs create, transfer, or maintain for your organization. 

What Are the Major Threats to Your ePHI?

So, you’ve determined the location of your external and internal ePHI. Now what? You need to identify any risks to those locations.

HIPAA requires you, your partner CEs, and your BAs to define threats to your ePHI. This includes any environmental, natural, or human threats to the technology systems that store your ePHI. 

Get More HIPAA Advice From HIPAA Security Suite

The HIPAA security risk assessment requirement fell into place with the passage of the Security Rule. This rule protects electronic patient health information from threats. All covered entities and their business associates must conduct at least one annual security risk analysis. 

Are you nervous about your upcoming risk analysis? Let HIPAA Security Suite lend you a hand. Get in touch with us today to learn how we can help you or your BAs perform a security risk assessment to help protect your patients and yourself. 

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top