Why Your Healthcare Facility Needs HIPAA Security Risk Assessments


As a healthcare organization, the Health Insurance Portability and Accountability Act, or HIPAA, lies at the heart of everything you do.

After all, in this day and age, you’re doing more than just setting bones or running diagnostic tests. Healthcare providers collect a huge quantity of data about their patients in order to serve them better. Unfortunately, this private information is also a highly lucrative target for thieves.

And if your organization isn’t protecting that data, you’re not doing your job.

HIPAA security risk assessments are more than just a box to check. They’re your foremost tool in protecting your patients’ valuable private data. Here’s why you need them, the consequences of not conducting them, and why a vendor risk assessment for HIPAA is part of that.

What is a HIPAA Risk Assessment?

As a healthcare facility, your front-facing work has to do with people. But the work behind the scenes, the work that makes it all possible, involves storing and processing a lot of protected health information (PHI), i.e. health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in order to provide healthcare.

This is more than just a few numbers. This is information spelling out private health details attached to a person’s life. In the digital age, PHI can live practically anywhere–and the value of that data has increased exponentially.

In simple terms, a HIPAA risk assessment is how you make sure you’re protecting that data. It’s a periodic process you use to analyze risks to PHI and ensure compliance with HIPAA rules, both by your facility and your partners. That way, you don’t run the risk of compromising your patients’ data or your patients’ trust in you.

Is a HIPAA risk assessment mandatory?

Yes, is it mandatory and more than just a good idea.

HIPAA security risk assessments are mandated under the HIPAA Security Rule, which requires covered entities and their business associates to conduct a risk assessment of their healthcare organization to ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.

The Rule offers a degree of flexibility on how you tailor your assessment so that you can conduct one appropriate to you. This is based on factors related to your environment and circumstances, including:

  • Your size

  • Your complexity

  • Your capabilities

  • Your technical infrastructure

  • Your hardware security capabilities

  • Your software security capabilities

  • The probability of risks to ePHI

  • The criticality of risks to ePHI

  • The cost of your security measures

If you’re not sure where to begin, the Office of the National Coordinator for Health Information Technology (ONC) is your best place to start, including its downloadable risk assessment guidance tool.

Here’s the good news: regular HIPAA risk assessments don’t just protect you against a hypothetical hack or third-party risk. They also make sure you’re prepared in the event of an audit by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

If you were audited, OCR will request a number of key documents, including:

  • Documentation of your most recent HIPAA security risk assessment

  • Documentation of the risks mitigated, organized in risk-level order

  • Evidence and documentation of key risk management activities

  • Your current HIPAA policies and procedures

  • Your current controls and protocols

The thing is, you don’t know when you might be audited. You should do HIPAA risk assessments more often than the minimum anyway. After all, they allow you to see any potential security concerns or areas of non-compliance in order to mitigate them and run a smoother business.

Either way, the primary focus of your risk assessments (for both covered entities and business associates) remains the same: protecting your patients’ confidential and private information.

The Consequences of Non-Compliance

What happens if you don’t comply? In short: nothing good.

The lowest fine level you could be issued is the “Do Not Know” violation category However, very few fines are now issued under that criteria. As far as OCR is concerned, you have no excuse for not knowing that you need to protect PHI.

Most fines are issued under “Willful Neglect”, which is a reckless or intentional failure to comply with HIPAA rules. This is when organizations knew (or should have known) that they had an obligation to protect PHI and failed to do so. This is important because many fines are directly attributable to an organization’s failure to identify risks to PHI.

What types of healthcare facilities should have a vendor risk management strategy surrounding HIPAA?

In short, every HIPAA-covered entity is required to perform periodic risk assessments. These include:

  • Healthcare providers

  • Healthcare payers

  • Clearinghouses

In addition, all covered entities’ business associates and third-party vendors (specifically, those with access to PHI) must perform periodic risk assessments. This applies regardless of your organizational size and complexity, whether you’re a tiny local hospital or a huge hospital system. If you’re a covered entity, you and your associates must conduct these assessments, because you’re still responsible for protecting PHI.

It’s also important to note that while you are required to conduct annual risk assessments, there are other occasions when you may need additional assessments. These include:

  • Discovery of high-risk security issues through your most recent risk assessment

  • Substantial changes to your organizational structure or operations

  • Changes to federal regulations

  • Changes to federal cybersecurity frameworks

Because of this, all organizations that are required to conduct a HIPAA risk assessment should have a vendor risk management strategy surrounding HIPAA protections and protocols. It’s more than just a list of objectives–it’s a way to guide your entire risk management process. Without it, there’s a real risk that your HIPAA security risk assessments will remain unfocused and inconsistent, and you may overlook serious risks without realizing it.

HIPAA Compliance Using Privva’s Third-Party Risk Management Platform

You know you need a regular vendor risk assessment HIPAA program. But knowing you need it and knowing where to start are two different things.

That’s where we can help, with third-party risk management software that makes it easy to manage your risk assessments in one dashboard. That way, you can catch every last detail, ensure compliance, and get back to what you do best: serving your patients.


Featured Posts
Recent Posts