What is a Security Risk Assessment and Why Does My Practice Need One?

What is a Security Risk Assessment and Why Does My Practice Need One?

Published: September 20th, 2018

According to the Health Insurance Portability and Accounting Act of 1996 (HIPAA) Security Rule covered entities (CEs) and business associates (Bas) that have access to electronic personal health information (EPHI) are required to implement safeguards necessary to protect it.

This includes but is not limited to, conducting a security risk analysis to meet the standards of the HIPAA Security Rule.  Also, any security updates or deficiencies uncovered should be included in the healthcare organization’s risk management process to be implemented or corrected, accordingly.

Why is this important?

Today a large majority of patient health information is stored electronically, so the risk of a breach of electronic Personal Health Information (PHI) is very real. In fact, around 1.13 million patient records were compromised in 110 healthcare data breaches within the first quarter of 2018, according to the Protenus Breach Barometer. (2)

By conducting risk assessments, healthcare organizations are able to uncover vulnerabilities within their security policies, processes, and systems. Risk assessments can also help providers address weaknesses, potentially preventing health data breaches and other adverse security events.

There is no “best practice” or single method of conducting a risk analysis that can guarantee compliance, but OCR has provided some helpful guidance to consider (1): 

Performing a Security Risk Analysis:

  • Outline the scope of the risk analysis and collect the relevant data.
  • Identify potential threats to the security of your practice’s ePHI and vulnerabilities to patient privacy.
  • Measure the effectiveness of security measures implemented.
  • Determine the likelihood a particular threat will occur and the impact such an occurrence might have to ePHI.
  • Determine and risk levels based on the likelihood and impact of a threat occurrence.
  • Prioritize the mitigation of identified risks based on the severity of their impact.
  • Document all steps in your risk analysis including results.
  • Review and update your risk analysis on a periodic basis.

Creating an Action Plan

Once you have performed your risk analysis, the next step is to implement an action plan to safeguard ePHI.  The HIPAA Security Rule requires medical practices to implement reasonable and appropriate safeguards to protect patient ePHI. Allowing practices to tailor security policies, procedures, and technologies, based on their unique size, complexity, and capabilities.

Need Help with a Security Risk Assessment?

MedSafe is the nation's leading one-stop resource for outsourced safety and health compliance solutions in healthcare. If you have questions regarding a Security Risk Assessment for your medical practice, contact the experts at MedSafe for a free consultation.

Toll-free: (888) MED-SAFE


  1. https://www.cms.gov/Regulations-and-Guidance/Legis...
  2. https://healthitsecurity.com/news/1.13m-records-ex...