What is a HIPAA Security Risk Analysis?

Image of button that says Risk Analysis with levels from low to extreme
Share on facebook
Share on twitter
Share on pinterest

A security risk analysis is a vital part of the risk management process. According to the HIPAA Security Rule, all HIPAA-covered organizations must conduct them. This analysis helps your organization prevent, detect, contain, and correct security violations.

However, the rule itself is rather broad:

RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. – Section 164.308(a)(1)(ii)(A)

Because the rule is broad, there is a lot of room for misunderstanding. Let’s address some common misconceptions about risk analyses.

HIPAAhuddle: Myth busting Risk Analysis

Small practices do not have to do a risk analysis.

False. Small practices have needed to follow this rule since 2006. Small practices must do an initial analysis and continually monitor security at their organization. If you are a small practice and haven’t conducted a risk analysis by this point, this should be your top priority.

I only need to conduct a risk analysis once.

Not true. HIPAA does not specify how often you should conduct an analysis. This depends on your organization’s circumstances. Some do them every year, while others wait two or three years. However, the Office of National Coordinator recommends once a year or as needed. For example, conduct risk analyses after your organization goes through a big change, as changes can introduce new vulnerabilities.

There is only one way to conduct an analysis.

There are many ways you can approach it. Health and Human Services Office for Civil Rights provides guidance on meeting the risk analysis requirement. The NIST Publication 800-30 is another useful guide.

My practice meets the requirement by installing a certified EHR/EMR.

This is a common mistake! You need to take all electronic protected health information into account, not just what’s in your electronic health record (EHR) or electronic medical record (EMR). EHR/EMR vendors are only responsible for the security of their own systems. They can’t help with security risks elsewhere.

The goal of risk analysis is to detect threats and vulnerabilities at your organization. Once you’ve completed it, you must put policies and procedures in place to improve security.

Image linked to HIPAAtrek's security risk analysis guide.

Security risk analysis can feel like an overwhelming task. We created our Beginner’s Guide to HIPAA Security Risk Analysis to help you identify, prioritize, and address risks to your data. Click to get your FREE guide.

To learn how the HIPAAtrek platform can help you cultivate a culture of security, request a demo or contact us at support@hipaatrek.com.

Read more: My EMR/EHR Makes Me HIPAA Compliant, Right?

Please share to your communities

Request A HIPAAtrek Demo

Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!
Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.