Navigant's Cyber Risk and Information Security PracticeLearn More


HIPAA Security Rule Risk Assessment Overview10 January 2017

Healthcare, Risk Management

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and celebrated its 20th anniversary in 2016. The Final Rule on Security Standards (“HIPAA Security Rule”) was enacted in 2003 and covered entities (CE) were expected to be compliant by 2005. Despite the fact that the HIPAA Security Rule (HSR) has been a law since 2003, there are still a significant number of covered entities and business associates (BA) who have failed to implement security programs that comply with the legal requirements. Part of the reason for this noncompliance is a general lack of understanding and awareness of what is required. The fairly recent increase in audits and fines by the Department of Health and Human Service’s (HHS) Office of Civil Rights (OCR) has been a wakeup call to CEs and BAs of all sizes. The HHS OCR maintains a public web site that provides details on all electronic medical healthcare records breaches that effect more than 500 individuals. If you visit, you will see that there are new breaches updated on an almost daily basis.  Most of the organizations listed have failed to fully comply with the requirements of the HSR.

One of the most common areas of noncompliance revolves around the risk analysis and threat assessments required under the HSR. CE’s and BA’s are required to comply with the safeguards specified in the HSR that span administrative, physical and technical controls. One of the most critical administrative safeguards requires that the organization perform a risk analysis which requires them to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” This risk analysis is separate from an overarching HSR compliance audit which is sometimes confusing to organizations. Some organizations incorrectly assume that if they perform a risk analysis, they have complied with the full set of HSR requirements . The risk analysis is a very important activity that can provide a significant amount of information regarding the organization’s vulnerabilities across not only their technology, but their employees and policies as well.

Organizations that remain non-compliant with the requirements of HIPAA expose themselves to lawsuits, enforcement actions and fines. These types of actions can be avoided by following the strong cyber security practices that are detailed in the HSR. Electronic medical records will continue to be attractive targets for hackers due to their high value on the Dark Web. One of the nice things about the HSR is that HHS gives some flexibility to organizations by categorizing each safeguard as either required or addressable. Regardless of the organization’s size, CE’s and BA’s must comply with any safeguard categorized as required. Safeguards that are categorized as addressable give organizations the flexibility to implement the related controls based upon their unique environment and factors such as size, location, etc. The HSR is a powerful and effective set of requirements that all CE’s and BA’s are required by law to comply with. Ensuring that your organization is fully compliant requires a tailored approach. To learn more about developing a tailored approach that is efficient and practical please contact us at or call 667-401-5108.

Work With Us Learn How