HIPPA Security Rule Risk Assessment

Covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the them.

Why have a HIPAA Security Rule Risk assessment?

  • Ensure compliance with the HIPAA Security Rule (initial requirement and Meaningful Use)
  • Demonstrate ongoing commitment to reducing risks of ePHI exposure
  • Avoid compliance penalties and fines
  • Reduce threats to systems and ePHI exposure
  • Increase confidence in the safety of ePHI

Benefits from a HIPAA Security Rule Risk Assessment

  • Identify potential ePHI exposures
  • Identify potentially vulnerable systems and data
  • Find areas where training may need improvement
  • Ensure appropriate controls are in place to protect ePHI
  • Provide recommendations to remediate risks

Initial Assessment of HIPAA Security Rule

The HIPAA Security Rule requires identification and implementation of a framework to protect patients’ privacy and to make sure medical information is secure.

Conducting a risk analysis or Risk Assessment is the first step required by the HIPAA Security Rule to identify and implement safeguards that assure compliance As part of the Risk Assessment you are required o “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a covered entity.” This Risk Assessment must include nine essential elements as identified by the Office of Civil Rights (OCR), the enforcement arm for HIPAA.

Periodic Review of HIPAA Security Rule

Guidance by the OCR notes that the risk analysis/assessment process should be ongoing. The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process and the frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.

 Meaningful Use Assessment

Conducting or reviewing a security risk analysis/assessment to meet the standards of the (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. Eligible professionals must conduct or review a security risk analysis/assessment for each EHR reporting period to ensure the privacy and security of their patients’ protected health information.

Client Success Stories

Client Background

A multi-employer Taft-Hartley Trust Fund governed by a Board of Trustees composed of union and employer representatives. Their function is to provide health benefits for union workers in the hospitality, food service and gaming industries. The organization has large offices in Illinois and Nevada along with several smaller offices throughout the country.


An on-site HIPAA Risk Assessment was conducted for the client in the Nevada office. This assessment required detailed reviews of security controls for the client as they related to the Administrative, Physical and Technical Safeguards of the HIPAA Security Rule.


The assessment was completed according to NIST 800-66 Guidelines to determine the potential threats to the exposure of ePHI. It included the nine essential elements required for HIPAA Risk Assessments as identified by the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR.)  The methodology used for this assessment included a review of a total of 105 individual security controls through the use of governing documents (policies, procedures, etc.), observations, and interviews.


The result of iiT’s assessment was that the client was in substantial compliance with the requirements of the HIPAA Security Rule. Deliverables included:

  • A corrective action plan that identified several areas where improvements will lower the risk of loss or exposure of ePHI.
  • ePHI Data Flow Diagrams for key business processes that illustrated the flow of ePHI data throughout systems and devices.

Following the successful conclusion of this project, iiT continued to work with this client and has assisted with the development of an Information Security Plan, an update to its Disaster Recovery Plan and an Enterprise Risk Assessment.