Ninety Nine Management

99MGMT Blog

What Is a HIPAA Security Risk Assessment & Why Is It Important?

Posted by 99 MGMT on Jun 13, 2019 10:46:43 AM

hippa cyber security

Do you have procedures in place to protect patient information, mitigate security risks, and address security breaches if/when they occur?

If not, your practice is like a compliance time bomb waiting to explode. Patient information security should be a high priority - compliance issues can easily lead to fines, reputational damage, and legal trouble.


To make sure patient information is as secure as possible, you should be performing regular security risk assessments for your practice. While you can run these internally, it’s very easy to overlook major issues, which is why many practices have an experienced third party perform risk assessments on their behalf.

What is a HIPAA security risk assessment & why is it important?


Download PDF Version

A typical security risk assessment performs three functions:

  1. Review existing security of protected health information
  2. Identify threats and vulnerabilities
  3. Assess risk for likelihood and impact

Upon completion, a typical security risk assessment report will provide recommendations for mitigating security risk and monitoring results. Your report will include the following items for review:

  1. Questions you were asked in the assessment
  2. Risks found, expressed as “TVS” or “Threat Vulnerability Statements”
  3. Risk rating of each threat, often defined as “Low”, “Medium”, or “High”
  4. Existing control measures applied (answers to the questions that were asked)
  5. Recommended control measures (RCM), pre-designated by the ONC

Security risk assessments are required by HIPAA. Regular assessments help ensure compliance with all safeguards to protect your patients’ information.

Vulnerabilities can lead to breaches of sensitive information, which have the following repercussions listed by HIPAA:

  • Settlements
  • Fines ranging anywhere from $100 - $50,000 per violation or per medical record
  • Criminal penalties including imprisonment (depending on the nature of the violation)
  • Exclusion from Medicare

Note: It’s crucial to address identified issues ASAP, especially if you participate in the MACRA programs (MIPS & APMs). During an audit, your most recent security risk assessment will be one of the first things they’ll ask for.

How can you prevent HIPAA security problems?

Risks come from insecure processes, people, or technology. Here are some basic steps you can take to ensure compliance:

  1. DOCUMENT any and all steps you take to manage risks
  2. Employee training - HIPAA, OSHA, and Texas House Bill 300
    1. You have 90 days to either verify or provide this training to new employees
  3. 24/7 monitoring over your local IT infrastructure
    1. Consider remote monitoring and management of IT to catch problems ASAP
  4. Operate your network as a simple workgroup environment rather than domain based network

If you work with a risk assessment expert, you’ll receive personalized recommendations based on your full assessment.

Sample HIPAA Security Risk Assessment for Small Physician Practices

Below are some common questions you may find in a security risk assessment for physician practices. You can start by reviewing these questions internally, but it is highly recommended that you get an assessment from an objective, experienced third party to ensure compliance.

hipaa security risk assessment


Download a PDF version of this sample HIPAA security risk assessment here.

Want more info about compliance & liability reduction? Check out this related post on OIG Exclusion Lists, or visit our page on Healthcare Compliance & Liability Reduction Services.

Topics: Compliance, Liability, HIPAA, Practice Management, IT