HIPAA Breach Risk Assessment

When working in healthcare, it is important to understand how HIPAA applies to your organization. Whether you are a HIPAA covered entity (CE), Business Associate (BA), or Managed Service Provider (MSP), you have an obligation to your patients and clients to adhere to HIPAA standards. Part of HIPAA compliance is completing a HIPAA breach risk assessment.

What is a HIPAA Breach Risk Assessment?

A HIPAA breach risk assessment is a self-audit that is required to be completed annually. Completing the self-audit allows you to determine if there are any gaps in your organization’s security practices that would leave your organization vulnerable to a healthcare breach. 

The Health Insurance Portability and Accountability Act (HIPAA) requires organizations working in healthcare to have administrative, physical, and technical safeguards in place to secure protected health information (PHI). PHI is any individually identifying health information that is classified into 18 identifiers. 

HIPAA Safeguards


  • Administrative: are written policies and procedures that must be customized to apply to an organization’s business processes. All employees must be trained on an organization’s policies and procedures.
  • Physical: refers to the security of an organization’s physical site with measures such as installing video cameras, alarms, and keypad locks that allow organizations to issue unique access codes for each employee.
  • Technical: are cybersecurity measures that are put in place to protect PHI on electronic devices such as encryption or firewalls. All devices containing PHI should have protections to ensure that the integrity of PHI is maintained.


Conducting a HIPAA breach risk assessment gives your organization a full picture of your current security practices, measuring them against HIPAA requirements. Gaps in administrative, physical, and technical safeguards can pose a huge risk to your organization as healthcare breaches continue to rise.

Why HIPAA Safeguards are Important

Healthcare organizations are increasingly targeted by hackers as they are seen as easy targets. The wealth of information a healthcare holds on its patients is vast, which is why protecting PHI should be a top priority for anyone working in healthcare. 

PHI includes:

  1. Patient names  
  2. Geographical elements (such as a street address, city, county, or zip code)
  3. Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device attributes or serial numbers
  14. Digital identifiers, such as website URLs 
  15. IP addresses
  16. Biometric elements, including finger, retinal, and voiceprints
  17. Full face photographic images 
  18. Other identifying numbers or codes 

HIPAA Breach Notification

In the event of a healthcare breach, organizations are required to report the breach.


  • Meaningful Breach: affects 500 or more individuals. A meaningful breach must be reported within 60 days of discovery to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), affected individuals, and the media. Meaningful breaches are displayed on the OCR’s “wall of shame.”



  • Minor Breach: affects less than 500 individuals. A minor breach must be reported by the end of the calendar year to the OCR and affected individuals.


Completing a HIPAA breach risk assessment will limit the risk of experiencing a healthcare breach. Healthcare breaches can be extremely costly when all costs are factored in including breach notification, remediation efforts, HIPAA fines, downtime, and damage to your reputation.