HIPAA Risk Assessments: Are They Really Necessary?

Are you up-to-date with your HIPAA compliance? If you’re not sure, you’re probably overdue for a risk assessment. Learn why they’re vital to staying compliant preventing costly breaches.

Under the Health Insurance Portability Accountability Act (HIPAA), covered entities and business associates must protect patients’ Protected Health Information (PHI). They must also address any subsequent breaches of this PHI. To ensure proper handling of PHI, covered entities and business associates need to conduct ongoing risk assessments (also called risk analyses). But what is a risk assessment, and why is it necessary?

What is a HIPAA Risk Assessment?

Risk assessments are not merely best practices—they are fundamental to HIPAA compliance. That is, the law explicitly requires that practices conduct risk assessments: 

RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. (Emphasis added.)1 

Essentially, a risk assessment is a process by which your practice evaluates potential ways in which your patients’ information could be harmed or compromised.

HIPAA does not provide a sample or form for your risk assessment. The Department of Health and Human Services (HHS) acknowledges this void. HHS explains that a one-size-fits-all template wouldn’t properly address the wide variety of needs of covered entities and business associates that range from solo healthcare practices to global technology companies.

While there is no uniform methodology, the purpose of the risk assessment remains the same—to identify the potential risks and vulnerabilities to the PHI that an organization maintains, transmits, receives, or creates.

What Should a HIPAA Risk Assessment Include?

Remember that your practice must always, always, always create and maintain written proof of HIPAA compliance procedures. When conducting risk assessments, or any kind of evaluations, write everything down. This might seem excessive, but this will help you in the event of a HIPAA audit or other examination. In HHS’s view, if an issue or event is not recorded, it has never happened.

A risk assessment should include:

  • Your size, complexity, and capabilities
  • Your technical infrastructure, hardware, and software security capabilities
  • The probability and criticality of potential risks to electronically-stored PHI (ePHI)
  • The costs of security measures

How Often Must a Risk Assessment Occur?

A risk assessment is NOT a one-time activity. In most cases, they should be performed at least yearly to identify changes and confirm that your systems and standards satisfy your HIPAA policies’ requirements.  They are also needed any time there has been a significant change: terminated employee, data breach, facility break-in, misplaced or lost physical files, company or practice merger or acquisition, or new technology.

Of course, whenever there’s a known PHI breach, you should conduct a risk assessment to determine the cause and prevent further exploitation of the vulnerabilities that allowed that breach to occur.

Why Conduct Multiple Risk Assessments?

What if your organization has not changed much since the last risk assessment? It may strike you as overkill to conduct another one. But remember, the goal of a risk assessment is not merely to review what your current system is. It’s also crucial to evaluate how well the current system works under existing conditions. 

For example, while your system might have been up-to-date last year, new developments might compel you to make a change. Perhaps you moved to digital recordkeeping or replaced the office keys with digitized “smart keys.” You might also discover opportunities to test a new system to see if it fits better with the way that your team operates, such as an electronic medical record (EMR) system that integrates patient billing and thus streamlines your business associate relationships.

In short,  a risk assessment will not only help you catch something that might be wrong. It may also help you find clear areas where you can improve. 

Remembering the End Goal

When you’re running a busy practice, it’s easy to look at a risk assessment as just one more regulatory hurdle—a hoop to jump through. But the true purpose of a risk assessment is not merely to check off a requirement in case regulators contact you. 

Think of your risk assessment as a routine preventive medical exam. A clean bill of health is meaningless if the exam overlooks emerging problems. The goal is to establish the health of your privacy and security practices and catch issues before they result in a costly breach or challenging government audit.

Jackson LLP’s experienced healthcare attorneys can help you develop a comprehensive HIPAA policy tailored to your practice, including guidance and templates for assessing your risk. Reach out to us today to learn how we can help you close HIPAA compliance gaps.

This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.


1. Section 164.308(a)(1)(ii)(A)

Free Attorney Consultation

Book Now