SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Best Practices for Conducting HIPAA Risk Assessments

Healthcare Assessments

If you’re in healthcare, you likely already know that maintaining HIPAA compliance requires a very thorough risk assessment. What you may not know is that HIPAA risk assessments are also an aspect of the law that is too often overlooked.

As seasoned HIPAA assessors, we’ve seen firsthand how organizations have fallen into compliance pitfalls regarding their risk management and assessments, and we want to offer some insight to help you avoid a similar situation.

In this article, we’ll go over the HIPAA risk assessment requirements before breaking down the process into nine essential steps you should follow as a best practice. Not only will this help you better solidify your compliance so you can avoid potential violations and related penalties in this area, but you’ll also have a stronger risk program overall.

Why are HIPAA Risk Assessments Important?

Because these things aren’t just about compliance. Performing a security risk assessment is a critical first step to identifying vulnerabilities that could result in a breach of electronic protected health information (ePHI). Before you can implement the appropriate safeguards, you need to perform a risk assessment that will help you understand:

  • Where ePHI can be accessed;
  • What can threaten the integrity and security of ePHI; and
  • Where there are potential gaps in your security that you need to shore up.

Not only will a risk assessment reveal weaknesses in your business—allowing you to mitigate them before they become an issue—but your documented risk assessment results will be the first document you will be required to show an Office for Civil Rights (OCR) auditor during a HIPAA audit or following a breach.

Given such multi-faceted importance, you should conduct a risk assessment annually (with periodic updates throughout the year when changes occur) as part of your HIPAA compliance procedures. 

Think about it like this—if you were about to go hang-gliding, you wouldn’t just leap off the mountain and hope for the best, would you? Rather, you’d likely thoroughly plan what path to take, evaluate any potential obstacles to avoid, and factor in other affecting elements like wind speed and direction. In other words, you’d conduct a comprehensive risk assessment.

Common Pitfalls with HIPAA Risk Assessment

“Comprehensive” is the key word. It’s not enough to just perform a risk assessment—you also need to make sure your endeavor meets the specific requirements of the HIPAA Security Rule, and that will require a level of thoroughness you may not be aware of nor well-practiced in.

You’re not alone in that respect—in 2020, 67% of OCR fines cited insufficient risk assessment as the reason for monetary penalties levied, and common reasons HIPAA risk assessments were cited as insufficient included:

  • It wasn’t enterprise-wide or comprehensive enough to sufficiently scope the enterprise-wide ePHI environment.
  • Governance of information security risks was ineffective or not present.
  • Identified risks requiring some form of treatment or mitigation were ignored and/or not documented sufficiently.
  • There was willful neglect and a risk assessment was not completed.
  • The methodology was incorrect and threats, vulnerabilities, security controls, likelihood, impact, and risk determination are not evident.
  • Previous guidance from the Office of Civil Rights (OCR) and recommendations were ignored.

9 Essential Steps of a HIPAA Risk Assessment

And while there are numerous ways you can perform a risk assessment—there’s no single method or “best practice” that guarantees compliance with the Security Rule—there are several steps you should take every time.

According to the OCR guidance, an OCR-ready risk assessment must include the following nine elements:

Step

What to Do

1. Create a Comprehensive Scope of the Analysis

Make sure your risk assessment includes all relevant risks and vulnerabilities to the:

  • Confidentiality;
  • Availability; and
  • Integrity of all ePHI that you create, receive, maintain, or transmit.

2. Collect Data

Pinpoint all locations where ePHI is stored, received, maintained, or transmitted.

**Note that this is a particular point of emphasis for the OCR.

3. Identify and Document Vulnerabilities

Name and record all reasonably anticipated threats to the ePHI that is currently being stored, received, maintained, or transmitted—this may change year over year and should be as comprehensive as possible, as this information affects several steps that follow.

4. Determine the Likelihood of Occurrence

For all threats identified, determine the likelihood (probability) of the threat occurring. It is ideal if both the inherent (before controls) and residual (after controls) likelihood are determined for each threat.

5. Determine the Potential Impact of Threat Occurrence

For all threats identified, determine the potential impact (consequences) should the threat actually occur, including consideration of:

  • Financial;
  • Legal;
  • Operational;
  • Clinical; and
  • Regulatory costs.

Ideally, you should also establish both the inherent (before controls) and residual (after controls) impact for each threat.

6. Determine the Level of Risk

To do this, take the likelihood of occurrence and multiply it by the potential impact—NIST recommends using a 5 x 5 matrix of:

Very High, High, Moderate, Low, and Very Low

You can use this to rate both likelihood and impact before multiplying them to determine the level of risk for each threat you identified. Risk calculated with a likelihood of 5 (high) and an impact of 5 (high) would have a risk level of 25 and would be considered a critical risk.

Once you’ve done this for each threat, you can better classify treatment of these risks as either accept, avoid, mitigate, or transfer, and you should prepare written action plans for those with the highest residual risk.

7. Assess Current Security Measures

Evaluate your implemented security controls and ensure they are working to reduce the likelihood and impact of threats identified previously and make any necessary additions.

8. Finalize Complete Documentation

As the OCR often says, “show your work”—document the risks and identify strengths, weaknesses, deficiencies, etc., in your security controls associated with the threats and vulnerabilities, as this documentation is a direct input to the risk management process.

 

A risk assessment must be documented and include all of the elements listed above. You should also document your resulting risk management plan, which must include:

  • A review of progress made on approved remediation activities; and
  • Results of the testing of your controls to assure their effectiveness.

9. Continually Manage Risk

You should repeat this process annually, but you should also perform a new risk assessment whenever you introduce operational, technological, or environmental changes.

Another key component of HIPAA states that all deficiencies uncovered by your risk assessment must then be remediated and fixed. Any efforts you take toward remediating these gaps must be documented in your formalized risk management plans, including:

  • Every gap uncovered by your risk assessments;
  • The individual within your organization responsible for fixing each gap;
  • How the gap will be fixed; and
  • The timeline for completion of your remediation efforts.

More Resources For Your HIPAA Risk Assessment

The above is based on OCR guidance, which draws heavily from NIST Special Publication 800-30 (Guide for Conducting Risk Assessments)—consider it another valuable tool for understanding basic risk assessment methodology.

For even more support—if a different kind—the OCR provides an online tool that can be particularly helpful for small/medium-sized healthcare practices and business associates to perform their risk assessments. However, this tool only provides the basics for performing the assessment itself—for a more detailed breakdown of its function, click here.

Maintaining Your HIPAA Compliance

We mentioned earlier that you wouldn’t go hang-gliding without a risk assessment—that’s just good sense. For those attempting to achieve or maintain HIPAA compliance, a comprehensive risk assessment isn’t just good sense—it’s also required, and now you understand some of the common pitfalls as well as what steps are critical to your next HIPAA risk assessment.

As you work to strengthen your process, you may be interested in having your efforts evaluated. Schellman offers an abbreviated assessment we call HIPAA Express that is risk-focused and can help bolster your due diligence—if you’re interested in learning more, please contact us today.

And even if not, our other content can help you navigate the complexities of HIPAA more easily, so be sure to check it out:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.