HIPAA Risk Assessment

An organization’s creation, receipt, maintenance, or transmission of any protected health information (PHI) is subject to potential risks and vulnerabilities, which are the focus of a HIPAA risk assessment.

Because covered businesses and business partners differ in size, complexity, and skills, the U.S. Department of Health & Human Services (HHS) does not establish a specific risk analysis approach. HHS advises that to achieve the goal of a HIPAA risk assessment, a company should:

  • Determine the locations of PHI used for storage, receipt, maintenance, or transmission. Identify and record potential threats and vulnerabilities.
  • Examine the security procedures in place now to protect PHI.
  • Examine how well the current security measures are being used.
  • Analyze the possibility of a threat that was conceivably foreseeable and the probable effects of a PHI breach.
  • Give combinations of vulnerabilities and impacts a risk rating.
  • Keep track of the evaluation and take appropriate action.

HIPAA risk assessments must be periodically reviewed when establishing new work processes or adding new technology.


See Scrut in action!