Ensuring HIPAA Compliance With A Risk Analysis

While you hear about the occasional breach of Protected Health Information (PHI) from large organizations, smaller medical offices often believe they are safe from a breach due to their size. When it comes to cybercrime, that is no longer the case. In fact, over three million patient records were compromised in 2017 across the medical industry, and small practices were breached, hacked, and ransomed just like the larger healthcare organizations. 


The Office of Civil Rights (OCR) shows there is an upward trend in data breaches since they first published summaries of healthcare data breaches in 2009. Between 2009 and 2018, there have been 2,546 data breaches that involve more than 500 patient records. These breaches have resulted in the exposure of 189,945,874 patient records, which is more than 59% of the population of the United States.

The loss or theft of PHI were the top causes of data breaches from 2009 and 2015. These breaches could easily be prevented with device encryption, strong physical safeguard policies, along with annual staff training. The current statistics show that hacking/IT incidents have been the top causes of data breaches, which is why it’s important to discuss conducting a risk analysis with your IT team.



In an effort to prevent these breaches of PHI, the HIPAA Security Rule requires that all covered entities must perform a risk analysis and implement a risk management plan.  This regulation is outlined in 164.308(a)(1)(ii)(A) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]”.

A completed risk analysis will provide your practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of ePHI within your organization. A risk analysis also helps practices assess and mitigate risks to the security of PHI.



A risk analysis contains a detailed look at an organizations administrative, physical, and technical security measures utilized to protect PHI.

  • Administrative Safeguards: includes an organizations' current policies and procedures used to protect PHI. This includes current security-related policies and procedures, a contingency plan, staff training policies and procedures, Business Associate Agreements, and user access to ePHI.
  • Physical Safeguards: are current controls that limit access to PHI such as the facility security plan, visitor controls, media disposal, and remote access procedures.
  • Technical Safeguards: includes password and inactivity timeout settings, data storage, backup plans, and disaster recovery procedures along with encryption for PHI when necessary.



  • Identify how and where PHI is stored or sent: During a risk analysis, practices must determine where ePHI is stored, received, maintained or transmitted, and should also maintain documentation of this inventory.
  • Identify threats and vulnerabilities: Practices also must identify potential threats and vulnerabilities within their organization whether those threats are from internal sources such as untrained employees, environmental such as a flood or fires, or an adversarial threat such as a hacker trying to access PHI.
  • Determine likelihood, impact, and risk level: Once vulnerabilities are identified, practices must determine the likelihood and level of impact from each identified threat by considering how many people may be affected as well as what data will be affected. The risk level is determined by taking into account the likelihood and impact levels of each vulnerability.
  • Implement security measures: Practices will then need to implement reasonable security measures to protect PHI from those identified threats. The HIPAA Security Rule allows practices to tailor security polices, procedures, and technologies for safeguarding PHI based on the size, complexity, and capabilities of the practice, as well as technical, hardware, and software infrastructure.



A completed Risk Analysis will help your practice identify vulnerabilities within your organization that could lead to a data breach or loss of PHI at some level. This assessment is the first step to ensuring compliance with the HIPAA Security Rule, attesting to government incentive programs, and ensuring security of PHI within your organization.

Don’t allow your organization to fall behind, complete a risk analysis today to ensure your organization is not only compliant, but safe as well.


Five Nines Case Study: Click below to discover how Five Nines has been able to provide 24-hour support, improve the IT infrastructure, and find the right solutions for a critical access hospital in rural Nebraska.

Case Study: Supporting A Rural NE Hospital