In This Article

How to Do a HIPAA Risk Assessment

Terry Mann
| Read Time 5 min read| Updated On - February 26, 2022

HIPAA Risk Assessment

Cybersecurity continues to be a big concern for healthcare professionals. The growth of data breaches and cybersecurity attacks suggests that CISOs in the organizations should not hesitate to perform HIPAA security risk assessments and reevaluate their security reinforcements

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is U.S. legislation created to improve healthcare standards.

HIPAA sets the standards that protect sensitive patient data. HIPAA has a flexible design that enables healthcare facilities to set out their own policies and procedures that fit their operations and protect their private health information (PHI). Therefore, it is important that healthcare facilities and organizations understand and complete a HIPAA risk assessment to understand the vulnerabilities.

This article looks at the steps you will need to follow to do a HIPAA risk assessment.

What are the elements of a HIPAA risk assessment

The elements of a risk assessment are similar, regardless of industry. There are four essential elements of a risk assessment. Here, we break them down in their relation to HIPAA compliance and the healthcare industry;

  1. Identifying what is at risk – Protected health information, such as patient data, personal information, date of birth, addresses, and insurance information, could be at risk.
  2. Performing a risk analysis – This is to identify the specific types of potential risks. Healthcare providers are prime targets because the electronically protected health information they possess is richly detailed. This makes the information very useful for people seeking unauthorized access. The goal here is to identify different risk levels.
  3. Determining the probability of specific risks and likely impact – Here, you identify what’s more likely to happen, such as a cyberattack or a DDoS attack. Different models can help you figure out the probability of specific risks to review your technical safeguards, cybersecurity system, and data handling procedures. This will give you a good sense of which risks are most likely and most harmful. The impact of a potential risk should be measured by the financial damage it could inflict and the cost of remediation.
  4. Determining the cost of an appropriate solution – Your risk management plan should help you identify the appropriate level of security measures to implement. For example, what is the worst-case scenario, and what is the associated cost of remediation? An organization, for instance, shouldn’t invest in expensive solutions for risks that pose little harm or are extremely rare. A risk assessment should help you determine which solutions are worth investing in, given the probability of happening and the potential harm they pose.

What are the steps you need to follow in a HIPAA risk assessment

Below are the steps you need to follow in a HIPAA risk assessment

Define Key Concepts and Information Flows

This is the first step, and it sets the tone and overall scope of the risk assessment. Here, you identify the whereabouts and types of assets an organization may use to create, transmit, or store ePHI. Examples include smartphones, portable storage devices, or technologies such as email that transmit ePHI.

Once the assessor has defined the media that transmit ePHI, a determination of who has access to ePHI is also a critical component. The information obtained in this step will help the assessor establish areas of impact and document how ePHI flows within the organization.

Define Threats and Vulnerabilities

In order to successfully determine weaknesses or whether a security safeguard is adequate, the assessor must have a working knowledge of the terms associated with the three security safeguards required for HIPAA compliance – Administrative, Physical, and Technical.

At times, the assessor may have to communicate with technical teams in the organization which oversees the deployment of security safeguards; therefore, this step is important to the success of the assessment.

Conduct an Initial Risk Assessment

The third step is a critical component of the assessment. It helps the assessor identify all threats to the confidentiality, integrity, and availability of ePHI.

In this step, vulnerable areas within the organization that can potentially be exploited by cyber actors, insider threats, user errors, or natural events are identified.

Once the threats are identified, this information can be used to develop a risk management strategy to address the vulnerable areas.

Determine the level of risk

In this step, you assign risk levels for all threat and security vulnerabilities that your organization may face to the risks identified during the assessment. The level of risk you assign is determined by evaluating the likelihood of all threats and the impact combinations identified. The assigned level of risk will be highest when a threat is likely to occur and will significantly impact your organization. When there is a low chance of that risk occurring and that the threat won’t have much of an impact on your organization, the threat should be assigned a low-risk level in your assessment.

Once this step is complete, you will need to document the assigned threat levels and create a list of remedial actions that should be taken to reduce the risk.

Continuous compliance

Look at compliance best practices, guidance, and other articles from federal oversight agencies, healthcare associations, and other industry leaders. Learn from their mistakes, challenges, and successes. Read about other organizations’ audit experiences.


The final step is to share what you learn about the HIPAA Security and Privacy rules with your whole organization. It’s important for your staff to know what threats exist in the organization and industry and how dangerous those threats can be. This way, they will know how they can do their part in preventing threats from coming to fruition.

Closing thoughts

As healthcare systems and regulations evolve, potential cybersecurity risks and non-compliance issues arise. It’s critical to continuously evaluate and update your organization’s processes and protections to lessen the threats of security breaches and non-compliance.

If you’d like to see how the Lepide Data Security Platform can help you locate, classify and security HIPAA regulated data, schedule a free risk assessment today.

Terry Mann
Terry Mann

Terry is an energetic and versatile Sales Person within the Internet Security sector, developing growth opportunities as well as bringing on net new opportunities.

Popular Blog Posts