As stated in the Guidance on Risk Analysis Requirements under the HIPAA Security Rule, the Department of Health and Human Services (HHS) requires all organizations handling electronic protected health information (e-PHI) to conduct a Risk Analysis.

How does HHS define a Risk Analysis? As “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

To help you sort through the extensive documentation on this topic, here are some of the common questions healthcare organizations are asking about the Risk Analysis, and some quick answers to each.

What type of information is subject to the Rule?

All e-PHI created, received, maintained, or transmitted by an organization is subject to this Security Rule.

What happens if my organization fails to comply?

If an organization fails to complete a Risk Analysis as required under the HIPAA Security Rule, there may be severe penalties imposed, including monetary fines. The Office for Civil Rights of the Department of Health and Human Services (OCR) does not consider ignorance of HIPAA rules and regulations to be a justifiable defense.

Are there rules about how my organization must analyze risk under this Rule?

There are numerous methods of performing Risk Analysis and there is no single method or “best practice” that guarantees compliance with the Security Rule. The Security Rule does not prescribe a specific Risk Analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule identifies Risk Analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.  Read more about the objectives in the HIPAA Security Rule.

I’ve heard there are mandatory components of the Risk Analysis – what are they?

The HHS Security Standards Guide outlines nine mandatory components of a Risk Analysis that healthcare organizations and healthcare-related organizations that store or transmit e-PHI must include in their document:

  1. Scope of the analysis – Any potential risks and vulnerabilities to the privacy, availability, and integrity of e-PHI.
  2. Data collection – Where does the e-PHI go? Locate where data is being stored, received, maintained, or transmitted.
  3. Identify and document potential threats and vulnerabilities – Identify and document any anticipated threats to sensitive data and any vulnerabilities that may lead to leaking of e-PHI.
  4. Assess current security measures – What kind of security measures are you taking to protect your data?
  5. Determine the likelihood of threat occurrence  Take account the probability of potential risks to e-PHI.
  6. Determine the potential impact of threat occurrence – By using either qualitative or quantitative methods, assess the maximum impact of a data threat to your organization.
  7. Determine the level of risk – HHS suggests taking the average of the assigned likelihood (#5) and impact levels (#6) to determine the level of risk.
  8. Finalize documentation  Write everything up in an organized document – HHS doesn’t specify any format, but they do require the analysis in writing.
  9. Periodic review and updates to the risk assessment  It’s important the Risk Analysis process is ongoing – one requirement includes conducting a Risk Analysis on a regular basis.

What is the timeline for conducting a Risk Analysis?

While the Security Rule doesn’t set a required timeline, HHS recommends organizations conduct a Risk Analysis whenever your company implements or plans to adopt new technology or business operations. This could include switching your data storage methods from managed servers to cloud computing, or any ownership or key staff turnover.

I’m feeling overwhelmed – where can I find answers to additional questions or get help?

Remember, Risk Analysis is the first step in an organization’s Security Rule compliance efforts. It’s an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.  If you have questions about conducting a Risk Analysis, please visit or reach out to us .

Finally, if you’re already a NextGen Healthcare client, please attend a complimentary webinar to learn how we can help you fully meet your SRA obligations and reduce risk for your practice.