HIPAA Security Risk Assessment: Going Beyond Regulatory Compliance

By Joseph Loecher on July, 1 2019
Back to main Blog
Joseph Loecher


If your organization transmits, receives, maintains, or stores protected health information, whether hard copy (PHI) or electronic (ePHI), your organization must comply with the Health Insurance Portability and Accountability Act (HIPAA). Traditionally, HIPAA applies to “covered entities” - healthcare providers, clearinghouses, and health plans, but can also apply to a covered entity’s business associates. A HIPAA business associate is any individual or entity that perform services on behalf of the HIPAA covered entity utilizing protected health information. If your organization is either a covered entity or a business associate, HIPAA’s security rule requires your organization to perform a HIPAA risk assessment. Beyond simply satisfying regulatory compliance requirements, a HIPAA security risk assessment can also provide perspective of the affect (ePHI) on business functions and any shortcomings, that can help add value to overall operations:

HIPAA regulatory compliance

A key objective of conducting a HIPAA risk assessment is to demonstrate compliance with the requirements of the HIPAA regulation for both covered entities and business associates. Failure to perform a thorough risk assessment will lead to non-compliance with Section 164.308 of the HIPAA Security Rule, which in turn can lead to investigations by the Office of Civil Rights (OCR) and subsequent fines. Fines levied by OCR can vary by degree of negligence: from the entity not knowing the violation occurred and could not have reasonably known of the violation, to intentional willful neglect at the most severe end of the spectrum. In aggregate, fines can be in excess of ten million dollars based on the severity of the violations.

Understanding of the flow of protected health information in transit and at-rest

During the HIPAA risk assessment, the flow of PHI (electronic and hard copy) through the entity will be evaluated. By identifying the modes of transmittal, receiving, maintenance, and storage of PHI inside and outside the perimeters of the entity, an entity can better understand their exposure and current practices related to PHI. With this knowledge, an entity can take a proactive approach to security and compliance, and apply corrective actions before it is too late.

Understanding of HIPAA high-risk areas and respective counter-measures

In performing a HIPAA Risk Assessment, your organization will identify high risk areas related to the security, integrity and availability of PHI, and evaluate the current security controls in place to mitigate the likelihood and/or severity of each risk event. From this evaluation, an entity can gain an understanding of the design effectiveness of their current controls, and any corrective actions needed to address gaps in control design. These assessments can also be critical in determining the potential impact of a breach of PHI on your organization.

Aid in business continuity and disaster recovery planning and availability baselines related to protected health information

A HIPAA risk assessment, requires the examination of information availability controls relative to PHI. Through this examination, an organization will gain a baseline understanding of the current efforts used to ensure the availability of protected health information. With this information, an organization can address any weaknesses relative to the availability of protected health information and adjust business continuity and disaster recovery plans accordingly. An often overlooked component of the business continuity and disaster recovery planning process is the safeguarding of PHI during a disaster event. Performing a quality HIPAA risk assessment forces an organization to consider the mechanisms in place to safeguard PHI during a disaster event.  With an availability baseline control overview, an entity can bolster their business continuity and disaster recovery plans to include appropriate handling of PHI in the case of a disaster event.

Integrity of PHI during processing lifecycle

Throughout the PHI processing lifecycle, PHI is received, maintained, transmitted, and stored. During each component of the processing lifecycle, there are many opportunities for errors to corrupt the integrity of the data. As part of a HIPAA risk assessment, an organization must identify the current mechanisms utilized to maintain processing integrity of PHI. This evaluation also identifies any unmitigated risks or gaps in control design relative to processing integrity of PHI.

Identify privacy shortcomings from internal operations

An often overlooked risk related to HIPAA privacy and security is internal operations. When an entity develops control procedures around the privacy of PHI, many entities do not have adequate safeguards in place restricting internal employees from inappropriate access. This can allow for employees who do not have a business need for the information to obtain and inappropriately remove the PHI from the entity, causing a breach, and opening the entity to possible HIPAA violations. Through Freed Maxick’s procedures, internal privacy shortcomings will be identified corrective actions will be recommended. From these recommendations, an entity proactively address any internal privacy gaps and correct them before a breach occurs.

Why Freed Maxick for a HIPAA security risk assessment?

Our team of HIPAA experts will work with you and your organization to review your entity’s needs and find the right HIPAA service for you. Freed Maxick can act as independent examiner and issue an opinion (AT-C 601) on your current HIPAA compliance, or as a consultant to help identify and address any current gaps with HIPAA compliance. By conducting a thorough risk assessment of your organization’s HIPAA compliance program, we can help you identify weak areas in your current processes, and advise you on the most effective and efficient ways to achieve and maintain compliance.

For more information regarding how Freed Maxick can complete a HIPAA risk assessment or any other HIPAA service offering questions, please contact me at joseph.loecher@freedmaxick.com.

More Insights and Guidance on Risk Management Issues - Click here.

Stay up to date