How to Conduct a HIPAA Risk Assessment

Troy Fine

by Troy Fine

January 13, 2023
How to Conduct a HIPAA Risk Assessment (1)
The HIPAA requires that covered entities and its business associates conduct a risk assessment. Keep reading to learn how to complete one.

There are thousands of HIPAA complaints every year. Has your organization done the preparation to be in compliance? According to the most recent data from the U.S. Department of Health and Human Services, there have been over 300,000 complaints from April 2003 to October 2022. The consequences of these complaints can vary, from losing patient trust to fines and legal complications. Do you want to minimize the risk that your organization will face these consequences? This post will cover what a HIPAA risk assessment is and tell you how to complete one as part of the compliance and risk management process

What is a HIPAA Risk Assessment?

To understand this, you first need to have an understanding of what HIPAA is. HIPAA stands for the Health Insurance Portability and Accountability Act. This is a federal regulation that protects health information privacy. HIPAA requires covered entities—any healthcare provider or organization that transmits electronic health information in connection with certain transactions—to conduct annual risk assessments to determine their security risks and vulnerabilities.

Specifically, HIPAA risk assessment is a process to identify, assess and control risks to patient privacy by understanding how information flows within an organization from collection through use and disposal. In addition, the risk assessment aims to determine what steps need to be taken to ensure compliance with HIPAA regulations for all healthcare providers and professionals who handle protected health information (PHI).

How Do You Get Started With a HIPAA Risk Assessment?

Before you jump into doing your own HIPAA risk assessment, it’s helpful to know what kind of risks have an impact. Some risks may be common for the industry at large, and others may have the potential to present themselves more frequently because of your business operations or location. Here are a few examples. 

  • Theft or loss of laptops/devices containing protected health information

  • Unauthorized access by a third party (ex: employee misuse)

  • Physical damage due to natural disasters (ex: flooding)

Spend some time thinking through this before you begin the assessment process. You may also want to get other stakeholders involved to help you better understand the risks that your organization faces. 

What Is Involved in the HIPAA Risk Assessment Process?

Risk analysis is the first step in Security Rule compliance efforts. This is an ongoing effort that should provide your organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. The first part of the risk assessment process itself is identifying the risks, threats, and vulnerabilities. Once you understand what may be putting your practice at risk, you can determine the likelihood of risk. This will help you decide how much time and effort should be spent mitigating the potential threat. If you need help thinking through what these risks look like, take a look at these sample questions that come directly from the HHS:

  • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.

  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?

  • What are the human, natural, and environmental threats to information systems that contain e-PHI?

The answers you come up with and the outcome of the risk analysis process are critical to assessing whether the implementation of a new measure or process is necessary.

After Your Assessment: Developing a Risk Management Plan

HIPAA risk management is a process that involves identifying, assessing, and mitigating risks to patient information. All of that is a requirement to be in compliance, and it isn’t something you set and forget. It’s an ongoing process, and the HIPAA Privacy Rule requires covered entities to have a risk management plan in place. 

As you implement new processes based on the findings of your assessment, you’ll need to obtain and review policies and procedures related to risk management and log them. Ensure that you document how these risks will be managed, how often you’ll review your risks, as well as who plays a role in the management process and what their responsibilities are. 

Developing a plan following your assessment is not a task you can put off until after something happens. This plan is meant to be a proactive measure to help you minimize the impact if your organization ever experiences a breach. Your goal is to show that the security measures you have in place are enough to mitigate or remediate identified risks.

HIPAA Compliance FAQS: Answered

Staying in compliance with HIPAA doesn’t have to create stress for you or your team. It becomes much easier when you know what to expect and how to manage your time and resources. Here are a couple of commonly asked questions.

How Often is a HIPAA Risk Assessment Required?

A HIPAA risk assessment is required as needed but is recommended yearly. Your work and circumstances play a role. For example, covered healthcare providers that are involved in research activities should conduct a risk assessment at least annually to determine the extent potential risks may have changed. Before you come up with an assessment schedule, understand how your organization’s specifics make an impact.

How Much Does a HIPAA Risk Assessment Cost?

The cost of a HIPAA risk assessment varies greatly, depending on the size of your organization and your specific assessment. For medium and large healthcare organizations, it’s not uncommon for costs associated with HIPAA risk assessments to be tens of thousands of dollars. The cost will be largely determined by if you choose to perform the assessment internally or work with a third party.

Ready to Automate HIPAA Compliance?

For HIPAA, Drata is providing the same streamlined user experience and interface we’re known for. You have one dashboard giving you a central view of your security and compliance posture at any time. Manage all of your regulations and controls in one place. Interested in learning more? Schedule a demo to see what Drata can do for you.

The Drata Newsletter

Trusted is Drata’s newsletter focused on the world of compliance, security, data privacy, and everything in between.


The Drata Community

Screen Shot 2022-07-13 at 9.45 1
Resources for you
SOC 2 policies

12 Commonly Recommended Security Policies for SOC 2

Drata + AssuranceLab

Why AssuranceLab Joined Drata’s Auditor Alliance

Asset - Compliance Uncomplicated - Nemean Services

Compliance Uncomplicated Episode 5: An InfoSec Perspective to Digital Security Success With Nemean Services

Troy Fine
Troy Fine
Director of Risk & Compliance