HIPAA Risk Analysis

HIPAA Risk Analysis — The First 3 Things You Can Do To Begin Your HIPAA Risk Assessment

Data Breaches? This probably isn’t your first rodeo. If anything, with the crazy increase of electronic records within the last 20 years, they have become much more common.

A security assessment is literally a must-do to determine threats and weak points to Protected Healthcare Information (PHI). Not only is it important to find these threats, but a risk analysis is also mandatory. The HIPAA Security Rule requires Covered Entities and their Business Associates to conduct an annual HIPAA risk assessment and use security measures in order to help keep PHI safe. 

Although regulations do not instruct organizations on how to control or secure their systems, they do require that those systems be secure in some way and that the organization proves to independent auditors that their security and control infrastructure is in place and effective.

So, you’re required to do this huge assessment every year with not a lot of guidance on HOW to do it. So what’s the best way to do your annual HIPAA Risk Analysis?? Let’s explore.

First things first. What is a HIPAA Security Risk Analysis? Before you can get started on safeguards, you’ll need to know:

  • What kind of PHI you can access,
  • Where you have gaps and security risks,
  • And what can threaten the integrity and security of your PHI.


***Motivation Tip: Even a small breach of PHI due to a missed HIPAA Risk Analysis can quickly become a huge problem, with penalties capped at $1.5 million per calendar year for the duration of the breach.*** 😵‍💫 


Let’s determine the general scope of a Risk Analysis:

  • What kind of security procedures does your business have in place?
  • Are your employees aware of and trained in HIPAA Security regulations?
  • What kind of encryptions are you using?
  • Are systems protected against unauthorized access?
  • Are your physical healthcare records locked up?

Not too bad, right? Okay, let’s look at the first 3 things you can do to begin your HIPAA Risk Assessment!

Gathering and Documenting Information

Where is your PHI? Who has access to it? We’re talking physical, digital — the who, what, and where of it all.

Assess whether or not the security measures required are already in place and are configured correctly according to the Security Rule. Document your findings!

Identify threats and vulnerabilities

How’s your server security? Is there possible PHI on a laptop or thumb drive somewhere that isn’t encrypted? Do employees share passwords?

Think about the gaps you may have uncovered in your organization’s safeguards and consider the likelihood of potential threats to PHI that may impact the security and integrity of PHI maintained by your organization.

Technology In Use Documentation

IT security risk has been seen as the responsibility of the IT or network staff in the past, as those individuals have the best understanding of the components of the technical setup. This approach has limitations! As systems have become more complex, integrated, and connected to third parties, the control you have over technology quickly reaches its limitations. Take a look at:

  • Hardware specifications,
  • Software types, product names, and versions,
  • Network setup,
  • And security systems – your firewall, malware protection

Whew! Overall, a dental or medical practice must have a solid base for its information security framework. The risks and vulnerabilities of your practice will change over time though. If your practice continues to follow its framework, it will be in a good position to address any new risks and/or vulnerabilities that arise.

A Curated Compliance and Training Program can do wonders for the process and ease of completing your HIPAA Risk Analysis every year. Even a webinar is a great first step. We provide comprehensive compliance programs, offered live or on-demand through a customized training system. Using the most up-to-date federal and state laws for the industry, our courses aim at educating both the doctor and their employees on their roles in mitigating risk around the office.

Interested in HR & Coaching but want to learn more?

Check Out Some Blogs!

HIPAA Risk Analysis

HIPAA Risk Analysis — The First 3 Things You Can Do To Begin Your HIPAA Risk Assessment!

Track Compliance for Dental and Medical Offices

How to Track Compliance for Dental and Medical Offices and Better Assess Risks.

Compliance and Training Programs; COVID-19 Compliance; Practice Protocols

Do Your Compliance and Training Programs Support Your COVID-19 Compliance and Practice Protocols?

Want to learn more about taking the stress of compliance off of your shoulders?

Schedule a quick demo to see how Done Desk helps you spend effective time managing your business so you can get back to medicine.

Let's Talk!