Organizations that create, receive, maintain, or transmit electronic protected health information (ePHI)—including covered entities and business associates—must conduct a HIPAA risk analysis and implement risk management practices. These are core requirements under the HIPAA Security Rule.
This guide walks you through the process step by step.
Risk Analysis vs. Risk Management
- Risk analysis is the process of identifying and evaluating risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Risk management is the process of applying appropriate security measures to reduce those risks to a reasonable and appropriate level.
Both are ongoing responsibilities, not one-time tasks
Step-by-Step Guide
1. Assign Ownership and Define Scope
Appoint a security official responsible for compliance. Define the scope to include all systems, devices, applications, and vendors that create, receive, maintain, or transmit ePHI.
2. Inventory Assets and Data Flows
Create an inventory of all systems and devices that interact with ePHI. Map out how data flows—from collection and storage to sharing and disposal.
3. Identify Threats and Vulnerabilities
List potential risks, such as human error, unauthorized access, weak authentication, malware, lost devices, natural disasters, or insecure vendors.
4. Assess Current Safeguards
Document the administrative, technical, and physical safeguards already in place. These may include access controls, encryption, facility security, audit logs, and training programs.
5. Estimate Likelihood and Impact
For each risk scenario, determine:
- Likelihood (low, medium, high) of the risk occurring.
- Impact (low, medium, high) on confidentiality, integrity, and availability if the event occurs.
6. Prioritize Risks
Combine likelihood and impact to calculate the risk level. Rank risks from highest to lowest priority in a risk register.
7. Plan Risk Treatment
Decide how to address each risk:
- Mitigate by implementing stronger safeguards (e.g., multi-factor authentication, encryption).
- Avoid by discontinuing risky processes.
- Transfer by using cyber insurance or shifting responsibility through contracts.
- Accept if the risk is low and reasonable, with documented justification.
8. Implement Safeguards and Assign Responsibility
Develop an action plan with deadlines, budgets, and responsible parties. Track progress to ensure controls are implemented and effective.
9. Document and Retain Records
Keep detailed documentation of your analysis, decisions, and actions. Retain records for at least six years. Documentation is critical for demonstrating compliance.
10. Reassess Regularly
Conduct periodic reviews (at least annually) and whenever major changes occur, such as adopting new software, moving to the cloud, or experiencing a security incident
Tools and Frameworks That Can Help
- NIST Risk Assessment Methodology: Provides a structured approach for analyzing risks.
- NIST Cybersecurity Framework: Helps organize security practices into Identify, Protect, Detect, Respond, and Recover.
- Healthcare-Specific Best Practices: Industry guidance such as HICP offers practical strategies for managing top threats
Documentation You Should Maintain
- Asset and data-flow inventory
- Threat and vulnerability list
- Risk register with scoring and treatment plans
- Policies and procedures
- Evidence of safeguards (training records, access logs, system settings)
- Risk analysis and evaluation reports
Common Pitfalls to Avoid
- Treating the risk analysis as a one-time project instead of an ongoing process
- Focusing only on the electronic health record system while ignoring other ePHI systems (emails, backups, mobile devices)
- Documenting risks without implementing remediation
- Failing to update after system or business changes
- Weak or missing documentation