Eight Steps to a HIPAA Security Risk Analysis

Both HIPAA auditors and anecdotal reports from around Texas indicate many practices are failing to complete basic HIPAA-required tasks, such as conducting a risk analysis and giving out a Notice of Private Practices.

The HIPAA Security Rule, which protects electronic protected health information (ePHI) requires a security risk analysis. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) lists several elements (PDF), your risk analysis must incorporate:

  1. Identify the scope of the analysis. You should take into account all ePHI your practice creates, receives, maintains, or transmits. Electronic media could range from a single workstation in a small practice to networks in practices with multiple locations.
  2. Gather data. Gather information about how the ePHI is stored, received, maintained, or transmitted. For example, a solo practice with paper medical records may be able to identify all its ePHI by analyzing how it uses its billing software. Be sure to also consider any portable electronic media you use, such as an iPhone or iPad.
  3. Identify and document potential threats and vulnerabilities. To start,  list natural, environmental, and human threats, the latter probably being your greatest concern. Potential human threats range from employees (the most common source), ex-employees, and visitors to hackers and criminals. Anyone who has the access, knowledge, and/or motivation “to cause an adverse impact” on your practice can act as a threat. Then note your practice’s vulnerabilities to the threats you’ve identified. Your vendors can help you identify  system vulnerabilities.
  4. Assess current security measures. These can be both technical and nontechnical. Technical measures are part of information systems hardware and software, such as access controls, identification, authentication, encryption methods, automatic logoff, and audit controls. Nontechnical measures are management and operational controls, such as policies, procedures, standards, guidelines, accountability and responsibility, and physical and environmental security measures.
  5. Determine the likelihood of threat occurrence.
  6. Determine the potential impact of threat occurrence. The most common outcomes include but are not limited to unauthorized access to or disclosure of ePHI, permanent loss or corruption of ePHI, temporary loss or unavailability of ePHI, or loss of cash flow.
  7. Determine the level of risk. Use what you wrote down for steps 5 and 6 to do this step. You might create a risk level matrix using a high, medium, and low rating system. For example, a threat likelihood value of “high” combined with an impact value of “low” may equal a risk level of “low.” Or a threat likelihood value of “medium” combined with an impact value of “medium” may equal a risk level of “medium.”
  8. Identify security measures and finalize documentation. The Security Rule does not require a specific format for your analysis. You could write a report that outlines your analysis process, records the result of each step, and initially identifies security measures needed. Actually implementing the measures is a process separate from the risk analysis.

OCR’s Security Rule Educational Paper Series gives insight into the Security Rule and help with implementing the security standards. No. 6, “Basics of Risk Analysis and Risk Management,” (PDF), explains the above eight measures in more detail.


Published Feb. 11, 2013

NOTICE: The Texas Medical Association provides this information with the express understanding that 1) no attorney-client relationship exists, 2) neither TMA nor its attorneys are engaged in providing legal advice and 3) that the information is of a general character. This is not a substitute for the advice of an attorney. While every effort is made to ensure that content is complete, accurate and timely, TMA cannot guarantee the accuracy and totality of the information contained in this publication and assumes no legal responsibility for loss or damages resulting from the use of this content. You should not rely on this information when dealing with personal legal matters; rather legal advice from retained legal counsel should be sought.


TMA Practice E-Tips main page  

Last Updated On

May 30, 2019

Originally Published On

February 12, 2013

Related Content

HIPAA | Legal