Annual HIPAA Risk Assessment

You must complete a HIPAA risk assessment each year, and now is the time to do so. Conducting an annual HIPAA risk assessment is an important part of compliance, as well being integral to protecting your business against breaches. This is because risk assessments reveal vulnerabilities, threats, and risks to protected health information (PHI) thus uncovering deficiencies in your current security practices.

How Are Vulnerabilities, Threats, and Risks Defined?

The Department of Health and Human Services (HHS) refers to the National Institute of Standards and Technology (NIST) when it comes to cybersecurity. 

NIST Special Publication (SP) 800-30 defines:

  • Vulnerability as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
  • Threat as “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
  • Risk as “The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . . [R]isks arise from legal liability or mission loss due to—
    1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
    2. Unintentional errors and omissions
    3. IT disruptions due to natural or man- made disasters
    4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

When Is the Best Time to Conduct Your Annual HIPAA Risk Assessment?

The ideal time to perform an annual HIPAA risk assessment is at the end of the calendar year. The end of the year is when strategic planning takes place for the following year. Strategic planning involves considerations such as new technology adoption, personnel changes, and budgeting, among others – that trigger the obligation to complete a security risk assessment (SRA). By conducting an SRA before the end of the calendar year, an organization will have an excellent idea of what its security posture is before making operational changes that take effect the following year. Also, Medicare and Medicaid require completion of the MIPS Security Risk Assessment by the end of the calendar year. By completing the SRA at the end of the year, you have satisfied both your HIPAA and MACRA/MIPS obligations.

Annual HIPAA Risk Assessment

Use our risk assessment tool to meet your annual HIPAA requirements today!

Learn More!
HIPAA Seal of Compliance

How Do You Prepare for Your Annual HIPAA Risk Assessment?

There are a few steps you can take to help you prepare for your annual HIPAA risk assessment.

  1. Identify the electronic PHI (ePHI) within your organization including ePHI that you create, receive, maintain, or transmit.
  2. Identify external sources of ePHI. These are your business associates that create, receive, maintain, or transmit ePHI on your behalf.
  3. Identify human, natural, and environmental threats to information systems that contain ePHI.

Using a HIPAA Risk Assessment Tool

You can conduct an annual HIPAA risk assessment on your own, but using a risk assessment tool ensures that you don’t miss a step. While the above steps seem pretty straightforward, there are several questions that arise from each of them. For instance, how do you protect your ePHI, how do your business associates protect ePHI, and how do you address threats to ePHI? These questions are just a few of the many that you need to answer in order to conduct an acc