Ensuring HIPAA Compliance With A Risk Analysis

Risk Analysis Blog

While you hear about the occasional breach of Protected Health Information (PHI) from large organizations, smaller medical offices often believe they are safe from a breach due to their size. When it comes to cybercrime, that is no longer the case. In fact, over three million patient records were compromised in 2017 across the medical industry, and small practices were breached, hacked, and ransomed just like the larger healthcare organizations. 



The Office of Civil Rights (OCR) shows there is an upward trend in data breaches since they first published summaries of healthcare data breaches in 2009. Between 2009 and 2018, there have been 2,546 data breaches that involve more than 500 patient records. These breaches have resulted in the exposure of 189,945,874 patient records, which is more than 59% of the population of the United States.

The loss or theft of PHI were the top causes of data breaches from 2009 and 2015. These breaches could easily be prevented with device encryption, strong physical safeguard policies, along with annual staff training. The current statistics show that hacking/IT incidents have been the top causes of data breaches, which is why it’s important to discuss conducting a risk analysis with your IT team.



In an effort to prevent these breaches of PHI, the HIPAA Security Rule requires that all covered entities must perform a risk analysis and implement a risk management plan.  This regulation is outlined in 164.308(a)(1)(ii)(A) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]”.

A completed risk analysis will provide your practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of ePHI within your organization. A risk analysis also helps practices assess and mitigate risks to the security of PHI.



A risk analysis contains a detailed look at an organizations administrative, physical, and technical security measures utilized to protect PHI.

  • Administrative Safeguards: includes an organizations' current policies and procedures used to protect PHI. This includes current security-related policies and procedures, a contingency plan, staff training policies and procedures, Business Associate Agreements, and user access to ePHI.
  • Physical Safeguards: are current controls that limit access to PHI such as the facility security plan, visitor controls, media disposal, and remote access procedures.
  • Technical Safeguards: includes password and inactivity timeout settings, data storage, backup plans, and disaster recovery procedures along with encryption for PHI when necessary.



  • Identify how and where PHI is stored or sent: During a risk analysis, practices must determine where ePHI is stored, received, maintained or transmitted, and should also maintain documentation of this inventory.
  • Identify threats and vulnerabilities: Practices also must identify potential threats and vulnerabilities within their organization whether those threats are from internal sources such as untrained employees, environmental such as a flood or fires, or an adversarial threat such as a hacker trying to access PHI.
  • Determine likelihood, impact, and risk level: Once vulnerabilities are identified, practices must determine the likelihood and level of impact from each identified threat by considering how many people may be affected as well as what data will be affected. The risk level is determined by taking into account the likelihood and impact levels of each vulnerability.
  • Implement security measures: Practices will then need to implement reasonable security measures to protect PHI from those identified threats. The HIPAA Security Rule allows practices to tailor security polices, procedures, and technologies for safeguarding PHI based on the size, complexity, and capabilities of the practice, as well as technical, hardware, and software infrastructure.



A completed Risk Analysis will help your practice identify vulnerabilities within your organization that could lead to a data breach or loss of PHI at some level. This assessment is the first step to ensuring compliance with the HIPAA Security Rule, attesting to government incentive programs, and ensuring security of PHI within your organization.

Don’t allow your organization to fall behind, complete a risk analysis today to ensure your organization is not only compliant, but safe as well.


Five Nines Case Study: Click below to discover how Five Nines has been able to provide 24-hour support, improve the IT infrastructure, and find the right solutions for a critical access hospital in rural Nebraska.
Case Study: Supporting A Rural NE Hospital



Cindy B1 - Copy

Cindy Beach

Healthcare Consultant 

As the Five Nines Healthcare Consultant, Cindy is responsible for helping partners complete security assessments and provides HIPAA compliance expertise to Five Nines partners and staff.

Facts About Me

- My first car was a 1988 Buick Skylark.

- I am definitely a dog person! At one time, we had 25 German Short-Haired Pointers at our kennel.

- My favorite pizza topping is pineapple! I know that will spark a debate with the Five Nines staff.

- My first real job was a waitress at our local drive-in. I can still make a pretty great ice cream cone!

- The longest road trip I have ever been on was 22 hours. My husband and I drove to Orlando, Florida for our honeymoon and it rained the whole time!




Topics: Security, Healthcare, HIPAA, Compliance

Case Study: Supporting A Rural Nebraska Hospital

Healthcare Case Study Reformatted

Five Nines is partnered with a 22-bed critical access hospital in rural Nebraska that supports up to 125 employees working between a hospital, clinic, and remote clinic. The entire business is operated on computers, and the organization relies on these computers to provide high-quality patient care. 


1. Before Five Nines there was a lack of efficiency and support from a previous IT provider.
2. Their team was unable to find talented IT engineers in rural Nebraska.
3. The hospital needed assistance with high-level server, storage, and networking needs.


Five Nines proposed a partnership to be an escalation point for this organization. This 2.5 year partnership has become a story worth telling, as the solutions provided helped with the management of their IT environment, as well as increased engagement and a stronger work/life balance for employees of the hospital.                                                                                                                                            

Who are we talking about, and why is it important? Click below to learn more about this case, and discover how Five Nines has been able to provide 24-hour support, improve the IT infrastructure of the hospital, and find the right solutions for unforeseen issues that arise for over 2 years.

Click Here To Read The Case Study


Topics: Outsourced IT, Managed IT Services, Healthcare, Case Studies

It's A New Year: Predicted Healthcare IT Trends

IT Trends in Healthcare.png

2018 is finally here, bringing new innovation and trends for healthcare technology. The International Data Corporation FutureScape conducted research and developed predicted IT trends for the industry in 2018. We'd like to share our insights on 3 of these key predictions that will strongly impact healthcare IT this year.


Mobile technology is growing rapidly, and will only continue to expand in 2018. According to Health Data Management, digital mobile engagement by patients and providers will increase by 50% by 2019, which means we will be seeing consistent advances in mobile technology this year. Individuals on both sides of the healthcare industry will begin to access medical information on their phones or tablets, which will facilitate new forms of communication. Maintaining patient privacy on mobile devices, as well as application navigation will need to be a priority.


Patients are gradually starting to become reporters of their own medical data through online patient portals to save time filling out paperwork at the office. The patients themselves are beginning to have the ability to play a role in their medical care by generating their personal data within healthcare systems. This will help them feel more in control of their medical history as they have the information they need at the click of a button. The data that is stored and collected over time will help providers determine a more personalized treatment plan for each patient. The technical aspects behind the scenes will need to be efficient and accurate to utilize these mass amounts of data.


By this time next year, it is likely healthcare companies will have begun to utilize their data and studies to share across their industry. This will help to provide real stories and evidence that may help solve similar medical cases or advance current treatments. This availability of information will push the industry to innovate and grow. IT will play a role in maintaining the quality, security, and ease of access to this information as it is collected. 

All of these adjustments will result in IT teams needing to continue to streamline healthcare technology environments so that privacy, security, and productivity are maintained during the technical advances throughout 2018 and beyond.


Want to learn more about remaining privacy compliant with Healthcare IT? Sit back, grab some popcorn, and enjoy the free Five Nines presentation on Privacy - Technology in Healthcare.

 Click Here to Download & Watch

Topics: Outsourced IT, Equipment, Cybersecurity, Business Continuity, Healthcare