Happy New Year! Let’s start this year’s Compliance Checkup with a very important topic from HIPAA. Remember the Compliance Checkup where we discussed which documents the Office of Civil Rights may ask for if your practice has to report a HIPAA breach? One of these documents is a risk analysis. The HIPAA Security Rule requires covered entities and business associates to:

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” 45 CFR § 164.308(a)(ii)(A).

If this seems complicated, you don’t know where to start, or you need a refresh on the basics of completing a risk analysis, I’ll let you in on a secret.

There are a lot of resources to help you with a risk analysis, and some are free! Here’s the how, when, and why of a risk analysis:


Many IT vendors and security consultants have their own templates for a risk analysis, but you can find a free template here, developed by the Office of the National Coordinator for Health Information Technology and the Office for Civil Rights. You can download the electronic tool or scroll down to the bottom for paper documents you can download and print or fill out electronically.

Whichever risk analysis template your organization uses, it should walk you through each administrative, technical, and physical safeguard requirement and help you identify areas of risk in your organization. Here’s an example from the tool linked above:



HIPAA does not specify how frequently to perform a risk analysis. Think about whether your organization should perform a risk analysis annually or on another established schedule, like biannually or every three years. Remember, if your organization has to report a data breach, the Office of Civil Rights is likely to ask for your organization’s latest risk analysis, so prepare with this in mind.


A risk analysis is required for all covered entities and business associates. Look at this activity as a way to assess your organization’s HIPAA compliance on a regular basis. A thorough risk analysis will help you identify areas of weakness so you may address these areas and mitigate risk. You may also use the information gleaned from a risk analysis to help your organization make decisions, for example:

  • Design better employee screening processes
  • Identify what data to backup and how
  • Decide whether and how to use encryption
  • Determine the appropriate manner of protecting health information sent by mail, email, etc