HIPAA Compliance Risk Assessment: Key Elements

HIPAA requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. A risk assessment ensures that the healthcare organization is compliant with all the safeguards like physical, administrative and technical, that HIPAA regulates in order to protect the ePHI (Electronic Protected Health Information).

HIPAA Compliance Risk Assessment Key Elements

A risk assessment also helps identify the spheres where potential threats can pop up and tamper with sensitive information or Protected Health Information (PHI). Risk analysis is a crucial step in detecting and application of effective safeguards that secure the PHI and monitors the standards and implementation specifications in the Security Rule.

Therefore, it becomes imperative for any healthcare organization, to understand all the nuances and details before OCR can issue before OCR can employ meaningful guidance that specifically addresses safeguards.

Any information that is physically or digitally stored with a healthcare organization, covered entities or business associates, is subject to the Security Rule.

The Security Rule demands that entities comply with the security norms of HIPAA to assess any unforeseen risks and loopholes in their environments. Once the risk is evaluated, entities are required to come up with reasonable and appropriate security measures to safeguard e-PHI. Risk analysis is the first step in that process.


Risk analysis helps conduct a proper check of the unanticipated risks and vulnerabilities which can ultimately prove detrimental to the overall security and sanctity of ePHI (Electronic Protected Health Information).

The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis.  

  • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
  • What are the human, natural, and environmental threats to information systems that contain e-PHI?

The result of the risk analysis is process pretty vital in finding out whether an implementation specification or an equivalent measure just and doing the needful in the healthcare organizations. There are myriad ways to perform risk analysis no one method can be chosen as the best one.

The Function of Risk Analysis

The basic function of risk analysis is that the Security Rule of HIPAA is complied with effectively by all organizations that deal with ePHI (Electronic Protected Health Information) directly or indirectly.

More Posts