supernav-iconWebinar: The Future of Cyber Security with Expert Keren Elazari

Contact Sales

  • Sign In
  • Get Started
HomeBlogHow to Conduct a HIPAA Risk Assessment

How to Conduct a HIPAA Risk Assessment

The HIPAA requires that covered entities and its business associates conduct a risk assessment. Keep reading to learn how to complete one.
Troy Fine

by Troy Fine

January 13, 2023
How to Conduct a HIPAA Risk Assessment (1)
What is a HIPAA Risk Assessment?How Do You Get Started With a HIPAA Risk Assessment?What Is Involved in the HIPAA Risk Assessment Process?After Your Assessment: Developing a Risk Management PlanHIPAA Compliance FAQS: Answered

There are thousands of HIPAA complaints every year. Has your organization done the preparation to be in compliance? According to the most recent data from the U.S. Department of Health and Human Services, there have been over 300,000 complaints from April 2003 to October 2022. The consequences of these complaints can vary, from losing patient trust to fines and legal complications. Do you want to minimize the risk that your organization will face these consequences? This post will cover what a HIPAA risk assessment is and tell you how to complete one as part of the compliance and risk management process

What is a HIPAA Risk Assessment?

To understand this, you first need to have an understanding of what HIPAA is. HIPAA stands for the Health Insurance Portability and Accountability Act. This is a federal regulation that protects health information privacy. HIPAA requires covered entities—any healthcare provider or organization that transmits electronic health information in connection with certain transactions—to conduct annual risk assessments to determine their security risks and vulnerabilities.

Specifically, HIPAA risk assessment is a process to identify, assess and control risks to patient privacy by understanding how information flows within an organization from collection through use and disposal. In addition, the risk assessment aims to determine what steps need to be taken to ensure compliance with HIPAA regulations for all healthcare providers and professionals who handle protected health information (PHI).

How Do You Get Started With a HIPAA Risk Assessment?

Before you jump into doing your own HIPAA risk assessment, it’s helpful to know what kind of risks have an impact. Some risks may be common for the industry at large, and others may have the potential to present themselves more frequently because of your business operations or location. Here are a few examples. 

  • Theft or loss of laptops/devices containing protected health information

  • Unauthorized access by a third party (ex: employee misuse)

  • Physical damage due to natural disasters (ex: flooding)

Spend some time thinking through this before you begin the assessment process. You may also want to get other stakeholders involved to help you better understand the risks that your organization faces. 

What Is Involved in the HIPAA Risk Assessment Process?

Risk analysis is the first step in Security Rule compliance efforts. This is an ongoing effort that should provide your organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. The first part of the risk assessment process itself is identifying the risks, threats, and vulnerabilities. Once you understand what may be putting your practice at risk, you can determine the likelihood of risk. This will help you decide how much time and effort should be spent mitigating the potential threat. If you need help thinking through what these risks look like, take a look at these sample questions that come directly from the HHS:

  • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.

  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?

  • What are the human, natural, and environmental threats to information systems that contain e-PHI?

The answers you come up with and the outcome of the risk analysis process are critical to assessing whether the implementation of a new measure or process is necessary.

After Your Assessment: Developing a Risk Management Plan

HIPAA risk management is a process that involves identifying, assessing, and mitigating risks to patient information. All of that is a requirement to be in compliance, and it isn’t something you set and forget. It’s an ongoing process, and the HIPAA Privacy Rule requires covered entities to have a risk management plan in place. 

As you implement new processes based on the findings of your assessment, you’ll need to obtain and review policies and procedures related to risk management and log them. Ensure that you document how these risks will be managed, how often you’ll review your risks, as well as who plays a role in the management process and what their responsibilities are. 

Developing a plan following your assessment is not a task you can put off until after something happens. This plan is meant to be a proactive measure to help you minimize the impact if your organization ever experiences a breach. Your goal is to show that the security measures you have in place are enough to mitigate or remediate identified risks.

HIPAA Compliance FAQS: Answered

Staying in compliance with HIPAA doesn’t have to create stress for you or your team. It becomes much easier when you know what to expect and how to manage your time and resources. Here are a couple of commonly asked questions.

How Often is a HIPAA Risk Assessment Required?

A HIPAA risk assessment is required as needed but is recommended yearly. Your work and circumstances play a role. For example, covered healthcare providers that are involved in research activities should conduct a risk assessment at least annually to determine the extent potential risks may have changed. Before you come up with an assessment schedule, understand how your organization’s specifics make an impact.

How Much Does a HIPAA Risk Assessment Cost?

The cost of a HIPAA risk assessment varies greatly, depending on the size of your organization and your specific assessment. For medium and large healthcare organizations, it’s not uncommon for costs associated with HIPAA risk assessments to be tens of thousands of dollars. The cost will be largely determined by if you choose to perform the assessment internally or work with a third party.

Ready to Automate HIPAA Compliance?

For HIPAA, Drata is providing the same streamlined user experience and interface we’re known for. You have one dashboard giving you a central view of your security and compliance posture at any time. Manage all of your regulations and controls in one place. Interested in learning more? Schedule a demo to see what Drata can do for you.

Trusted Newsletter
Resources for you
8 Benefits of Shift Left Compliance

7 Benefits of Shift-Left Compliance

G2 Summer 2024 Thumb

Drata Shines in G2 Summer 2024 Reports

Image - Drata GRC Maturity Model

Charting Your Course to Compliance Excellence: Navigating the Drata GRC Maturity Model

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
HIPAA vs HITRUST hero image


HIPAA vs. HITRUST: Key Differences Explained

HIPAA Compliance Checklist Hero

HIPAA Compliance Checklist: Essential Steps for Compliance [2023]

HIPAA Compliance Healthtech

HIPAA Compliance: How Healthtech Companies Can Remain Compliant

How to Conduct a HIPAA Risk Assessment (1)

How to Conduct a HIPAA Risk Assessment