Live Webinar | 26 June 2025 9AM PT
From Black Box to Boardroom: Operationalizing Trust in AI Governance
HIPAA

HIPAA Risk Assessment

An organization’s creation, receipt, maintenance, or transmission of any protected health information (PHI) is subject to potential risks and vulnerabilities, which are the focus of a HIPAA risk assessment.

Because covered businesses and business partners differ in size, complexity, and skills, the U.S. Department of Health & Human Services (HHS) does not establish a specific risk analysis approach. HHS advises that to achieve the goal of a HIPAA risk assessment, a company should:

  • Determine the locations of PHI used for storage, receipt, maintenance, or transmission. Identify and record potential threats and vulnerabilities.
  • Examine the security procedures in place now to protect PHI.
  • Examine how well the current security measures are being used.
  • Analyze the possibility of a threat that was conceivably foreseeable and the probable effects of a PHI breach.
  • Give combinations of vulnerabilities and impacts a risk rating.
  • Keep track of the evaluation and take appropriate action.

HIPAA risk assessments must be periodically reviewed when establishing new work processes or adding new technology.

Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo