The ransomware organization BlackCat/ALPHV gained access to Change Healthcare’s network in February 2024 by using a single application without multi-factor authentication. The breach exposed the protected health information of about 190 million individuals and generated $2.457 billion in total cyberattack expenses for parent firm UnitedHealth Group.  

It was the greatest healthcare data breach in United States history, And it occurred as a result of a serious security flaw going unnoticed. A HIPAA security risk assessment is the formal process that finds those gaps before attackers do. 

Organisations that neglect this stage risk fines of up to $1.9 million per infraction (inflation adjusted rates) category annually, according to the Office for Civil Rights (OCR). Nonetheless, the OCR often notes that one of the most frequent HIPAA infractions discovered during audits is not performing appropriate risk assessment.

Learn everything you need to protect your business from penalties and reputational damage in this blog. This article covers a detailed overview of HIPAA security risk assessment, its step-by-step procedure,checklists, and cost estimates.

Key Takeaways

• Definition: A federally mandated examination of risks, vulnerabilities, and threats to electronic protected health information (ePHI) is known as a HIPAA security risk assessment.
• Coverage: The HIPAA Security Rule requires both covered companies and business associates to complete it.
• Categories: The Security Risk Assessment (which is mandatory), the Breach Risk Assessment, and the Privacy Risk Assessment are the three categories.
• Fines: OCR fines for non-compliance can reach $1.9 million per category yearly, with fines ranging from $100 to $50,000 per infraction (inflation adjusted rates).
• Procedure: Nine steps must be followed in the assessment: scope, inventory, threat identification, control evaluation, likelihood assessment, impact assessment, risk level assignment, risk management plan development, and documentation.
• Checklist: A list of all physical, administrative and technical safeguards that every organization must put in place. 

What Is a HIPAA Security Risk Assessment?

An organised analysis of any risks and weaknesses to confidentiality of electronic protected health information (ePHI) generated by an organization is known as a HIPAA security risk assessment.

The HIPAA Security Rule’s administrative safeguards, namely 45 CFR 164.308(a)(1)(ii)(A), are the source of this obligation. According to HHS guidelines, the regulation mandates that business partners and covered entities evaluate all possible risks and vulnerabilities to the ePHI they possess.

Every time there are operational or environmental changes, organisations are required by the HIPAA Security Rule to review and update the evaluation. Reassessment is triggered by new software installations, workforce reorganisation, vendor relationships, and new cyber threats.

HIPAA Security Risk Assessment vs. HIPAA Risk Analysis

The more general regulatory phrase used in 45 CFR 164.308(a)(1)(ii)(A) is HIPAA Risk Analysis. It alludes to the continuous organisational process of determining and assessing ePHI risks.

The official, documented use of that risk analysis is known as HIPAA security risk assessment. It is the actual project that your team finishes, including the impact assessment, threat identification, scoping, inventory, and final report.

A distinct breach risk assessment is also introduced by the HIPAA Breach Notification Rule at 45 CFR 164.402. This reactive assessment determines if an unapproved PHI disclosure qualifies as a reportable breach. 

The four basic elements include:

• The type and volume of PHI involved, 
• who accessed it, 
• whether it was truly viewed or obtained, 
• and the degree to which the risk has been reduced

Moreover, the organization must notify HHS and impacted parties in the absence of this evaluation.

Which Organizations are Required to Conduct a HIPAA Risk Assessment?

Covered entities, Business associates and subcontractors are subject to conduct a comprehensive HIPAA risk assessment. Below are the detailed discussions. 

1. Covered Entities 

Organisations that directly handle PHI while delivering or funding healthcare services are considered covered entities. This group consists of the following organizations:

• Hospitals, doctor’s offices, dentists, pharmacies, and nursing homes.
• Health plans include Medicare/Medicaid programs, employer-sponsored health plans, HMOs, and insurance firms.
• Healthcare clearinghouses (organisations that convert health information between non-standard and standard forms).

2. Business Associates

Business associates are companies or people who carry out tasks for covered entities and obtain PHI in the process. Typical instances consist of:

• Providers of cloud hosting and storage for ePHI
• Companies that handle billing and revenue cycles
• Vendors of electronic health records (EHRs)
• IT-managed service providers with access at the system level
• Accounting and legal firms that deal with patient-level data

Business associates are directly liable for HIPAA violations under the 2013 Omnibus Rule and the HITECH Act.  Moreover, a subcontractor that processes or accesses ePHI on behalf of a business associate is likewise bound by the HIPAA Security Rule and is required to conduct its own risk assessment.

What are the 3 Types of HIPAA Security Risk Assessment

The three types of HIPAA Security assessment includes:

• HIPAA Security Risk Assessment Under 45 CFR 164.308 
• Breach Risk Assessment
• Privacy Risk Assessment

Here is the brief description of each.

1. Breach Risk Assessment

A possible breach event sets off this evaluation. Its goal is to ascertain if an event qualifies as a HIPAA Breach Notification Rule reportable breach. The organization can treat an occurrence as non-reportable if a documented determination of minimal chance of compromise is examined across all four qualifying categories. The organization is required to notify HHS and the impacted individuals in the absence of this evaluation.

2. HIPAA Security Risk Assessment Under 45 CFR 164.308 

Every covered entity and business associate is required by law to perform this fundamental assessment. It assesses ePHI threats in the technical, administrative, and physical domains. Make sure your organization maintains documentation, and when they evaluate it.

3. Privacy Risk Assessment

Risks pertaining to patient rights and the proper use or disclosure of PHI in accordance with the Privacy Rule are assessed. It compares actual organisational practices with consent processes, access control guidelines, and data-sharing agreements. The significance of this evaluation is increasing as healthcare institutions use patient portals, telemedicine platforms, and health information exchanges.

Why Businesses Cannot Afford to Skip a Risk Assessment

1. Heavy OCR Penalties and Fines

There are serious and well-established financial repercussions for neglecting or failing to complete a HIPAA security risk assessment. OCR uses four culpability-based penalty tiers to enforce HIPAA:

Tier	Minimum. Per Violation	Maximum. Per Violation
Lack of Knowledge	$145	$73,011
Reasonable cause	$1,461	$73,011
Willful neglect, corrected	$14,602	$73,011
Willful neglect, not corrected within 30 days	$73,011	$2,190,294

Source: What are the Penalties for HIPAA Violations?

If you study each case, one of the main conclusions of the enforcement action in each case is the lack of a recorded, sufficient risk assessment.

2. Serious Business Expenses and Reputational Damage

The immediate business expenses of a breach caused by ignored risks are significant and go beyond OCR fines. The average healthcare data breach costs $9.77 million, more than any other industry, according to the IBM Cost of a Data Breach Report 2024. Extra expenses consist of:

• Expenses associated with breach notification include legal representation, mailing fees, and credit monitoring for impacted parties.
• Operational disruption includes staff reallocation, recovery expenses, and system outages.
• Reputational harm includes declining community trust, patient attrition, and lost referrals.

How OCR Audits Target Gaps

The risk assessment serves as the main source of information for OCR’s audit protocol. The first thing auditors ask for is written assessment documentation. After that, they contrast your recorded risks with the precautions you have put in place. OCR audits frequently reveal the following gaps:

• Evaluations that focus on a single system or site rather than all of the organization’s ePHI
• Once an assessment is finished, it is never updated following system or operational changes.
• Assigning risk levels without a defined approach or justification
• Plans for risk management that are in place on paper but don’t demonstrate actual execution
• There is no record of who performed the evaluation or their credentials.

How to Perform a HIPAA Security Risk Assessment

The SRA Tool v3.6 is a structured, free resource created by HHS and ONC for smaller organisations. Bigger companies frequently adhere to NIST SP 800-66 (Implementing the HIPAA Security Rule) or NIST SP 800-30 (Guide for Conducting Risk Assessments). Additionally, a commonly used control mapping method is offered by the NIST Cybersecurity Framework (CSF).

OCR mandates that every valid assessment contains the following components, regardless of the methodology selected.

1.  Define the Scope

Establish the precise parameters of your evaluation first. All ePHI created, received, maintained, or transmitted by your organization must be covered by the scope. This comprises:

• Every physical location where ePHI is kept or accessible
• Every database, application, and information system that handles ePHI
• Every employee that deals with ePHI
• Every employee and subcontractor that has access to your systems

Regardless of the specific electronic media in which data is created, received, preserved, or communicated, organisations are required by HHS guidelines to include all e-PHI. Enforcement actions have criticised partial assessments as insufficient.

2. List Every ePHI Location

Keep track of all the places in your company where ePHI is present. Make a data flow map that shows where ePHI enters, travels between departments and systems, is stored, and leaves. Think about digital gadgets, cloud storage platforms, on-premise servers and workstations, and medical equipment that send patient data.

Every subsequent stage is built upon this inventory. You cannot evaluate the risks associated with data that you have not recorded.

3. Determine Risks and Vulnerabilities

Once the ePHI inventory is finished, identify realistic threats, or situations or occurrences that could compromise your ePHI. According to NIST SP 800-30 and HHS guidelines, threats can be divided into three categories:

• Human threats: Phishing attacks, ransomware, insider abuse, social engineering, and unintentional workplace mistakes.
• Environmental risks include fire, flooding, power shortages, and natural calamities.
• Technical risks include viruses, unpatched software, system malfunctions, and improperly configured computers.

Determine the appropriate vulnerabilities, weaknesses that a threat could exploit, for each threat.

4. Assess Present Security Protocols

Examine your current technical, administrative, and physical security measures. Assess each control’s presence, functionality, and suitability for addressing the threat-vulnerability pairings found in Step 3.

Keep a record of your real controls, not just your ideal ones. OCR auditors request proof that measures are in place rather than merely outlined in a policy document. 

5.  Determine Likelihood of Threats

Use a documented scale to rate the likelihood of each threat-vulnerability pair. Three layers are used by most organisations:

• High: Given the organization’s threat environment and existing weaknesses, the danger is likely to materialise.
• Medium: Given current circumstances and controls, the threat may materialise but is uncertain.
• Low: Considering the organization’s profile and current security measures, the threat is unlikely.

Likelihood assessments should be based on your particular context, including the kinds of data you have, the danger landscape in your business, the size of your workforce, and the state of your present control environment. This process is supported by threat source and event catalogues found in NIST SP 800-30 appendices.

6.  Assess Impact Levels

Evaluate the possible effects of each threat if it materializes. Think about:

• The potential impact on the volume and sensitivity of ePHI
• Whether the effects would be long-term or short-term
• Whether there is a direct risk to patient safety
• The implications for your company’s finances, legal status, and reputation

Using the same High, Medium, or Low scale used for likelihood, assign impact ratings. Maintaining consistency in your rating process is crucial for both auditability and defendability.

7. Determine Risk Levels

Assign each threat-vulnerability pair an overall risk level by combining your likelihood and impact evaluations. This is simple with a standard risk matrix. Set remediation priorities according to risk levels. High-risk and critical situations call for quick action. A documented remedial timeline is required for medium risks. It is possible to formally accept low risks and document the decision.

8. Create a Plan for Risk Management

After risk levels are assigned, the risk evaluation is not finished. The security management process requirement under 45 CFR 164.308(a)(1)(ii)(B) requires organisations to take action based on the findings of the assessment. For every danger that has been identified, record:

• The precise corrective measure or compensating control that must be put in place
• The accountable individual, such as a department manager, CISO, IT lead, or HIPAA compliance officer
• The anticipated level of residual risk following the implementation of the control

A sustainable strategy must also include continuous threat management initiatives and effective vulnerability management.

9. Proper Documentation of Everything

For a minimum of six years following the date of inception or last effective date, covered entities and business associates are required by 45 CFR 164.316(b)(1) to keep documented policies, procedures, and documents pertaining to HIPAA Security Rule compliance.

The following must be included in your risk assessment documentation:

• The assessment’s specified scope
• The approach (NIST SP 800-30, SRA Tool v3.6, or another)
• The data flow map and ePHI inventory
• The process and conclusions of identifying threats and vulnerabilities
• Impact and likelihood ratings with supporting documentation
• The calculated risk levels and the risk matrix
• The risk management strategy with designated owners and deadlines
• Proof of management approval and review

HIPAA Security Risk Assessment Checklists

Administrative Safeguards Checklist

• Security management process is formally documented under 45 CFR 164.308(a)(1)
• A designated Security Officer is assigned and accountable
• A Privacy Officer oversees privacy policies and patient rights
• Workforce security procedures address authorization, supervision, and termination
• Information access management restricts ePHI access to the minimum necessary
• Role-based access controls are implemented and documented
• Security awareness training is provided at hiring and at least annually thereafter
• Phishing simulations or awareness exercises are conducted periodically
• A contingency plan covers data backup, disaster recovery, and emergency operations
• A sanction policy is in place and actively enforced
• A formal evaluation procedure triggers reassessment after operational or environmental changes
• Business Associate Agreements are executed with all applicable business associates

Physical Safeguards Checklist

• Facility access controls restrict unauthorized entry to areas where ePHI is stored or accessed
• Visitor access logs are maintained for restricted areas
• Workstation use policies define security responsibilities for each workstation touching ePHI
• Workstations are positioned to prevent unauthorized screen viewing
• Device and media controls govern receipt, removal, backup, and disposal of hardware
• Hard drives and portable media are securely wiped or destroyed before disposal
• Portable devices are encrypted, inventoried, and tracked
• Physical security measures protect server rooms and data infrastructure

Technical Safeguards Checklist

• Unique user IDs are assigned to all individuals who access ePHI
• Multi-factor authentication (MFA) is enforced on all systems containing ePHI
• Automatic logoff is configured on workstations after inactivity
• Encryption protects ePHI at rest and in transit
• Audit controls log system activity involving ePHI
• Audit logs are reviewed regularly for anomalies and unauthorized access
• Integrity controls verify ePHI has not been improperly altered or destroyed
• Transmission security (TLS/SSL) protects ePHI during electronic transfer
• Access controls enforce least-privilege principles across all systems

Documentation Checklist

• Written risk assessment report is complete and management-approved
• ePHI inventory and data flow map are current
• Risk management plan is documented with owners and target dates
• All policies and procedures are in writing and accessible to relevant staff
• Training completion records are maintained for all workforce members
• BAAs are executed, current, and on file for all business associates
• Incident response records document security incidents and outcomes
• All documentation is retained for a minimum of six years per 45 CFR 164.316(b)(2)(i)

What are the Common Risk Assessment Mistakes Organizations Make?

Even organisations with the best of intentions make mistakes that compromise their evaluations. The gaps that OCR typically finds are as follows:

1. Gaps in risk management

The entire objective of the assessment is defeated if it is completed but no documented action is taken on the risks that were identified. Organisations must have in place a security management procedure that actively lowers risks to a reasonable and suitable level in accordance with 45 CFR 164.308.

2. Inadequate scope

One of the most common issues is evaluating the EHR while neglecting email servers, cloud storage, billing platforms, and portable devices. OCR anticipates that all ePHI will be covered by the evaluation. The major infringement in the Advocate Health Care enforcement action was the failure to perform an enterprise-wide evaluation.

Source: OCR Resolution Agreement, 2016.

3. Outdated evaluations 

The HIPAA Security Rule’s continuing requirement is not met by an evaluation that was finished three years ago and never reviewed. Reassessment is required for any major change, such as a new cloud provider, a system migration, or a reorganisation of the workforce.

4. Absence of a documented approach 

It is not a proper evaluation to assign risk levels without providing an explanation of how you arrived at them. Auditors must observe a documented, repeatable procedure. The SRA Tool v3.6 and NIST SP 800-30 both offer reputable, defendable frameworks.

5. Using uncustomized generic templates 

The exact ePHI locations, threat environment, and control gaps of your company are not reflected in downloaded checklists or template evaluations. For them to be valid, they must be tailored to your particular situation.

What is the Cost of Conducting HIPAA Security Risk Assessment?

Cost varies depending upon the size of the organization, the complexity of the system, and whether you hire a certified agency or do the assessment internally. Here are the methods that you can choose to conduct HIPAA security risk assessment. 

1. Using the SRA Tool v3.6

HHS and ONC’s SRA Tool v3.6, which is intended for small to medium-sized healthcare providers and guides users through each necessary component in a structured style, is free to download at healthit.gov. To properly complete it, significant staff time and acquaintance with the pertinent regulations are needed.

Engaging a Third-party 

Independence, specialised knowledge, and a documented audit trail that has significant weight with OCR are all provided by third-party evaluations. The size of your business will determine whether you should work with a certified HIPAA security risk assessment partner. It can cost between $2,000 and $8,000 for small businesses and between $25,000 and $100,000 on average for major businesses.

Conducting the Assessment Internally

The evaluation can be carried out internally by companies who have a CISO or HIPAA compliance officer. Staff time is the main expense; for a small to mid-sized business, this might range from 40 to 120 hours, depending on the number of systems and locations in scope.

So, what’s the solution? 

When assessing the expense, make a direct comparison with the cost of non-compliance. According to the IBM Cost of a Data Breach Report 2024, the average cost of healthcare data breaches is $9.77 million, which is the most of any industry for the fourteenth year in a row. A $5,000 assessment is direct, verified risk mitigation rather than an administrative cost.

The Final Verdict. What’s Next?

Your entire data protection program is built upon a HIPAA security risk assessment. Without it, you have no idea where your ePHI is kept, what could potentially harm it, or whether your present security measures are sufficient. With it, you have a clear plan for safeguarding your patients, employees, and company as well as a written, defendable record of due diligence.

FortNexShield performs certified HIPAA security risk assessments in collaboration with cybersecurity partners, business associates, and healthcare organisations throughout the United States. The operational realities that healthcare organisations deal with on a daily basis, the current threat landscape, and the regulatory framework are all understood by our team.

Prioritise this now rather than waiting for an OCR audit or a breach notification letter. Make an appointment with FortNexShield right now to begin the process of conducting a compliant HIPAA security risk assessment.

Under the HIPAA Security Rule, who is required to finish a HIPAA security risk assessment?

It must be completed by all business associates and covered businesses. Healthcare clearinghouses, health plans, healthcare providers, and any institution that generates, receives, stores, or transmits ePHI on behalf of a covered entity fall under this category. This duty also applies to business affiliates’ subcontractors.

What consequences result from failing to perform a HIPAA security risk assessment?

Each infraction carries a penalty of $100 to $50,000, with an annual ceiling of $1.9 million for each category of infraction. The minimum fine for each instance of wilful neglect is $10,000. Additionally, OCR has the power to mandate corrective action plans that subject the company to continuous compliance monitoring and reporting requirements.

How frequently must a company perform a HIPAA security risk assessment?

There is no set interval specified by the HIPAA Security Rule. However, 45 CFR 164.306(e) demands revisions in response to changes in the environment or activities, as well as continuous risk analysis. The majority of compliance frameworks, such as NIST SP 800-66, advise a formal reevaluation at least once a year and right after every major modification.

What is a HIPAA security risk assessment and is it legally required?

A HIPAA security risk assessment is a documented analysis of threats, vulnerabilities, and risks to ePHI within your organization. Yes, it is legally required. The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) mandates that all covered entities and business associates conduct and document this assessment. Failure to comply exposes organizations to OCR penalties and significantly increases breach liability.

What is the difference between a HIPAA security risk assessment and a HIPAA risk analysis?

The regulation term for the continuous process of detecting and assessing threats to ePHI is HIPAA risk analysis. The official, recorded implementation of that procedure is the HIPAA security risk assessment. Although some organisations treat risk analysis as an ongoing program and security risk assessment as the formal project finished inside that program, the words are actually used interchangeably.

How frequently should a HIPAA security risk assessment be carried out by our company?

At least once a year. Reassessment is also necessary if there is a change that could impact the security of ePHI, such as the introduction of new technology, changes in the workforce, mergers or acquisitions, new vendor partnerships, or the discovery of a security event. An annual cadence is recommended as best practice by both NIST SP 800-66 and the HITRUST Common Security Framework.

How much does a small firm have to pay for a HIPAA security risk assessment?

The free HHS/ONC SRA Tool v3.6 is a good place to start for small practices. Depending on the number of sites and systems involved, third-party support for a small practice usually costs between $2,000 and $8,000. Investing in a proper evaluation is simple risk management because OCR penalties for wilful non-compliance start at $10,000 per violation.