Ounce of Prevention: Is It Time to Perform a Security Risk Assessment?

April 5, 2024
Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires covered entities and their business associates to implement policies and procedures to prevent, detect, contain and correct security violations. Under the HIPAA Security Rule, entities must “periodically” perform a security risk assessment, which can be adapted to the size and sophistication of the entity. While the general approach is to perform one annually, some organizations may do so bi-annually and others every three years.

An organization undertaking a risk assessment must thoroughly assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI). Larger entities that have the resources may engage a third party to perform the assessment. For small and medium entities, the Office of the National Coordinator of Health Information Technology and Department of Health and Human Services Office for Civil Rights (OCR) collaborated to develop a security risk assessment (SRA) tool, which can be accessed on the HealthIT.gov website.

Following completion of a security risk assessment, entities must implement security measures sufficient to reduce the risks and vulnerabilities identified to a reasonable and appropriate level. Risk mitigation is an ongoing effort and organizations should develop a living risk-management plan based on the results of each risk assessment, adapting the plan as risks change throughout the organization’s life cycle.

If an organization fails to perform a risk assessment and/or fails to implement security measures to address risks and vulnerabilities and suffers a breach of ePHI, the organization may be subject to increased scrutiny and fines.

How to Confirm?

While the frequency of performing a risk assessment is an organization’s decision, if it has been more than one year since a risk assessment, organizations should consider doing one. OCR suggested that organizations ask the following questions to identify potential security risks:

  • What type of ePHI does your organization create, receive, maintain or transmit, and where does it reside? Understanding the data map and how data flows within the organization is critical for identifying potential vulnerabilities and risks.
  • What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain or transmit ePHI? As an organization builds relationships with outside users of the ePHI stored, leverage those relationships to ensure ePHI is transmitted safely.
  • What are the human, natural and environmental threats to information systems that contain ePHI? After identifying the threats to the ePHI an organization stores or transmits, address and resolve those threats.

Using the SRA tool helps organizations identify risks, document those risks in one central location and evaluate how risks change as the organization grows between SRAs. The SRA tool also provide a roadmap for documentation of necessary security measures to address identified risks and vulnerabilities as they change over time. 

For questions about SRAs, McGuireWoods attorneys can assist.


Ounce of Prevention is a McGuireWoods series that details healthcare laws and regulations and offers tips on how providers can ensure they are in compliance. To recommend a topic for a future installment, email Gretchen Heinze Townshend at [email protected] or Tim Fry at [email protected].

Subscribe