Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

HIPAA Risk Assessment – Is this required?

Risk Assessment – Is this required?

Yes, performing a Risk Assessment is required by HHS1. If you are audited, you will be required to show a Risk Assessment as a part of your Compliance Plan. Imagine going to an IRS audit without any tax returns. Your Risk Assessment is like your schedule C. Let’s just say it’s not going to be a very successful audit without this.

What is contained in a Risk Assessment?

Your Risk Assessment is broken down into 3 key areas and your responses to the questions in each area will help you create your Policies and Procedures.

  1. Administrative Safeguards – Here you list your administrative requirements that include answering questions about your:
    • Sanction Policy for employees that violate your policies;
    • Policies and Procedures review schedule; and,
    • Plan for dealing with Breaches.

The answers will help you assess what information needs to be included in your Privacy and Security Policies and Procedures.

  1. Technical Safeguards – How does your practice or company protect ePHI? Do you have:
    • A data backup plan
    • A disaster recovery plan
    • An emergency mode of operation plan
  2. Physical Safeguards – This area deals with physical files, and how you protect your offices.
    • Who has access to your location?
    • How do you protect patient or client files?
    • How do you control who has access to physical files?

Are There Any Free Tools?

HHS offers a free tool for medical practices:

For small- to medium-size practices, using the free tool from HHS is perfectly acceptable. Make sure that you include your IT department or contractor in performing the Risk Assessment. If they are contractors, they will need to be properly vetted and signed as a Business Associate prior to accessing your PHI.

For larger practices or companies, you may wish to contract with a service that specializes in doing Risk Assessments. Again, make sure you vet those contractors, and review their Compliance Plan before you allow them access to your premises and PHI.

How Often Do You Need to Perform a Risk Assessment?

The Risk Assessment is a living document, and the first year you have this in place, you may find certain parts work, and others don’t. This means you need to update the document to reflect any changes you make along the way.

There are 4 situations that will require you to perform a Risk Assessment.

  1. Initial HIPAA Implementation
  2. Any Major Changes in Software and/or Hardware – You are required to update your Risk Assessment after any major changes. This should be done prior to updating all systems in your practice or company You will want to test and verify that the new software or hardware is going to be acceptable before you launch it full scale. This will keep you from having to enact your “emergency operation” policy.
  3. It’s Been a While – It’s been 2-3 years, you haven’t changed much in your practice or company, it’s probably a good idea to revisit your Risk Assessment. Remember to review your Business Associates and their compliance plans at this point.
  4. Breach – If you have a Breach, then you a required to perform a Risk Assessment to find out where things went wrong. This may have been a malware attack, unauthorized access to your premises, or a lost device. Document the reason, and what steps you have taken to mitigate the breach. Also, remember Breaches of over 500 individuals’ info requires you to contact HHS and local media. If the information includes anyone from California, you are also required to notify the California State Attorney General’s office.

Don’t forget to register for our webinar on Electronic Devices here. Next week we will be covering what happens when you have a Breach and what you need to do in this unfortunate event.

1. (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A)

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)