risk management

How to do a HIPAA Risk Analysis

Updated November 1, 2022

“We had policies and a privacy officer, but we failed the HIPAA audit. What went wrong?”

Most organizations fail their HIPAA audit because they haven’t completed a HIPAA Risk Analysis. It’s a core HIPAA requirement but is often overlooked.

What is a HIPAA Audit?

The government does HIPAA audits, randomly, to figure out who complies and who doesn’t. They are looking for up-to-date policies and good risk management. The best way to pass an audit is to make sure you’ve completed a HIPAA-compliant Risk Analysis. It’s the key to full compliance.

The Office for Civil Rights (OCR) is the agency which oversees HIPAA compliance and does the audits. OCR has found that 94% of covered entities and 88% of business associates failed the Risk Management section of HIPAA audits. But if done right, and refreshed every year, it’s the perfect blueprint to prevent data breaches and fines for noncompliance.

The HIPAA E-Tool® Incorporates NIST 

One common mistake is to tackle only the IT side and do a “security risk assessment.” But a complete HIPAA Risk Analysis – Risk Management plan covers all the HIPAA Rules – Privacy, Security, Breach Notification and Enforcement.

The security risk assessment is critically important, but not the whole picture – a fully compliant HIPAA Risk Analysis is more than the NIST Security Risk Assessment (National Institute of Standards and Technology). It must include both electronic and non-electronic assets and information, including paper, film, a list of staff and whether they’ve been trained, business associates, and multiple policies and procedures. 

The HIPAA E-Tool® incorporates guidance from both NIST and OCR to cover everything required. Our solution covers it all, and gives you the tools and step-by-step instructions to do it yourself.

Do Risk Analysis at Every Location

OCR has made clear that risk analysis must be done at each location. Fresenius Medical Care North America paid $3.5 million in fines after OCR found multiple HIPAA violations across multiple locations. A central failure was the lack of site-specific risk analysis. 

Instead of getting caught and being forced, why not learn to do it and avoid the headache and costs?

Why Healthcare Organizations are Failing OCR’s HIPAA Audits

Because Risk Analysis is misunderstood or overlooked. Does this sound like you?

  1. We’re not sure how
  2. It’s too difficult
  3. It’s too expensive
  4. It takes too much time
  5. It’s not necessary
  6. Maybe next year we’ll do it

We know how to help you do it, calmly, completely and confidently. This year.

What is HIPAA Risk Analysis – Risk Management?

A Risk Analysis is an inventory of locations and risks to protected health information (PHI).

Key elements:

  • The inventory must include both electronic and non-electronic information
  • It must include every location
  • Do it once a year

Risk Management is a plan to reduce the risks you identify. It does not require perfection, or budget-breaking changes.

  • Put in place “Administrative, Technical, and Physical Safeguards” to protect PHI
  • Reduce risks to a reasonable and appropriate level
  • Work on it throughout the year

Risk Analysis uncovers risks (once a year) and Risk Management helps you reduce risks (throughout the year).

Step-by-step Guidance Makes HIPAA Risk Analysis Easy

Our approach at The HIPAA E-Tool® is to break it down into 3 parts, like a 3-Act play. It’s designed for a busy office manager or compliance officer to do it themselves, as time allows. You can do a chunk at a time saving your work as you go. There’s no need for expensive outside consultants.

HIPAA Risk Analysis is like middle school math – you have to show your work.

From The HIPAA E-Tool® 

Screenshot of The HIPAA E-Tool Risk Analysis-Risk Management screen

Act 1 is the inventory, starting with a simple list of PHI locations, a list of staff and a list of your business associates. You figure out the risks by naming “threats and vulnerabilities” for the PHI. The HIPAA E-Tool®  is interactive, so everything you enter in this first section shows up in later sections, so you don’t have to re-enter anything.

Act 2 is the job assignment section. Who will do the action steps required to reduce your risks? What are the deadlines? When have they been completed? Everything you entered in the first sections shows up in this section, keeping you organized and on track.

Act 3 is documentation of everything. If OCR comes calling, this is your proof of compliance!

The Dashboard tracks your progress and reminds you what to do next. You don’t have to complete the Risk Analysis on one day in a busy office. Save your work, check the Dashboard and pick it up again.

Screen shot of Three part risk analysis - risk management section in The HIPAA E-Tool

Once complete, you archive the whole thing. Next year when you do it again, your information is ready to go. You can easily add, subtract and refresh everything. Every year after the first is easier and faster. But it’s also comprehensive and complete.

With the right tools and step-by-step guidance, you can do a full HIPAA Risk Analysis by yourself. Prevent breaches, avoid fines and pass your HIPAA audit!  

And if you have questions along the way, we have answers. 

For more detailed discussion on Risk Analysis topics, see:

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU