What is a Risk Assessment?

As a reminder, one of the most important aspects of complying with the HIPAA Security Rule is to perform a Security Risk Assessment (also known as a Security Risk Analysis) to evaluate how an organization is protecting patient data.  Every organization covered by HIPAA (Covered Entities and Business Associates) must perform an SRA.  According to the Office for Civil Rights (OCR), the HHS division that enforces HIPAA, the SRA is THE most important document in HIPAA compliance.  It is the document that will first be looked at in any type of audit or investigation.

Why is a risk assessment so important?

Why is the SRA so important? Simply put, the output of the SRA will give you recommendations on how to reduce the risk of a data breach, which is what HIPAA security is all about.  

How does it work? The SRA looks at all systems that contain electronic protected health information (ePHI or patient information). It evaluates all the threats to ePHI,  looks at all vulnerabilities to the systems that contain ePHI and evaluates the current protections that are in place to protect ePHI. Based on all of the information that is gathered and evaluated the results of the SRA will show the areas of greatest risk of a breach, and provide a playbook (we call it the Work Plan) for how additional protections can lower the risk of a breach of patient information.

In addition to providing recommendations on how to reduce the risk of a data breach, the SRA process is widely considered to be a best practice in cybersecurity circles.  Cybersecurity is an issue for all organizations to deal with, not just HIPAA covered entities. Many organizations that are not in the healthcare field conduct regular SRAs as a way of reducing risk in their business and helping keep their business systems operational.

There are several methods used to perform an SRA.  Our partner, HIPAA Secure Now!, follows a process from the National Institute of Standards (NIST) called 800-30.  The 800-30 guideline is recommended by HHS/OCR for performing SRAs.  HIPAA Secure Now! has been involved in audits, investigations, and reviews with different regulatory bodies, and every time our SRA has been accepted as valid.

For many organizations, an SRA can be a time-consuming process.  Not so with HIPAA Secure Now! clients.  We have spent many years perfecting a process that minimizes the amount of time required to perform a comprehensive SRA.  

As mentioned above, the SRA will point out areas where the risk of a data breach can be reduced.   A key point is that it is not possible to eliminate all risks. No matter how much an organization spends to implement additional security measures, some risks cannot be completely eliminated. The goal of implementing the recommendations of a risk assessment is to lower risk to the point that it is acceptable to the organization.

Have questions? Need help?

Call us at 859-245-0582 or click here to reach out to us.

You might also be interested in our other article on HIPAA Compliance, “What are the HIPAA standards for IT”. Click here to read it now.


Next Century Technologies has teamed up with HIPAA Secure Now to bring comprehensive HIPAA compliance solutions and advice, at a reasonable price, to establishments that fall under HIPAA. We thank our partners at HIPAA Secure Now for providing the content for this article.