The HIPAA Risk Assessment: Are You Up to Date?

If you thought that your small or mid-sized practice was excluded from the HIPAA Risk Assessment requirement, you may want to think again. All providers considered “covered entities” are required to perform a risk assessment of their practice. The risk assessment is also a core requirement to receive Medicare or Medicaid incentive payments through the Meaningful Use program.

In September 2014, more stringent penalties begin for those practices that have not secured Protected Health Information (PHI) or that have not identified potential risks in their practice that could be mitigated through proactive identification, correction, and monitoring of the risk areas.

What is different about this additional review of PHI is that it focuses on the many electronic ways we receive, transfer, and store electronic patient information today. For this reason, the US Department of Health and Human Services (HHS) tags this as “e-PHI.”  HIPAA rules require a practice to conduct a risk assessment, and even recommend annual updates. HIPAA has established four tiers of penalties for violations, with each tier corresponding to the practices’ culpability in preventing the violation. The penalties range from $100.00 to $50,000.

Key elements of your HIPAA practice assessment are as follows: 

  • Scope of the assessment must include all ePHI that your organization creates, receives, maintains, or transmits. This will include a review of all electronic media, including laptops, fax machines, copiers/scanners, CDs, and portable devices. The point here is to cover all of the areas in the practice where data is stored or could be accessed.
  • Understanding and identifying where your ePHI information flows – where do you send and receive information, and are sources secured?
  • Documentation of findings – in your documentation, identify areas that may be a threat or vulnerability to the organization. Threats include human errors and natural disasters; vulnerabilities include lack of policies, unencrypted laptops, etc…
  • Assessment of your current security measures – how effective are your policies, and are there areas than need further enforcement?
  • Determine the likelihood of a threat – for example, under your current security system, how likely is an employee or provider to lose a patient’s ePHI? Is there a potential for an electrical malfunction that would cause you to lose content of a medical record?
  • Determine your risk and categorize into a High, Low, Medium risk matrix
  • Document corrective action to mitigate any risk
  • And last, review and update the analysis annually

Since HIPAA requires practices that handle protected health information to regularly review the administrative, physical, and technical safeguards they have in place to protect the security of the information, a tool has been developed to help you. In a joint effort, the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have developed a Security Risk Assessment (SRA) tool to help small and mid-size practices conduct their risk assessments. The tool can be found at This assessment can be conducted internally by the practice, and produces a report from your analysis that can be provided to auditors.

Whether you are seeking incentives from the Meaningful Use program or not, the HIPAA risk analysis is a requirement.  As we move farther and farther away from a paper environment, the key to using electronic health information securely will be planning, evaluation, corrective action, and continuous monitoring to ensure your patients’ health information is protected when they visit your practice and to protect yourself from loss of valuable health information. To help you review the requirements, has put together a thorough overview of the process in a video format at this link:

August 2014
Carol E. Alexander
Stroudwater Associates


(202) 863-2584

American Congress of Obstetricians and Gynecologists
409 12th Street SW, Washington, DC  20024-2188 | Mailing Address: PO Box 70620, Washington, DC 20024-9998