Privacy and Security Update: Risk Analysis for Health Care Professionals

January 31, 2013 Cathy Bryant

Did you know that HIPAA requires health care providers to conduct a risk analysis?

Two sets of rules were adopted to implement the provisions of HIPAA: the Privacy Rule and the Security Rule. The Privacy Rule applies to all forms of protected health information — oral, written, or electronic. The Security Rule applies only to electronic protected health information (ePHI).

Under the Security Rule, covered entities are required to conduct a risk analysis of ePHI exposures. A risk analysis is defined as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” A requirement of the Security Management

Process standard in the Security Rule states that all covered entities must “implement policies and procedures to prevent, detect, contain, and correct security violations.” (1)

Your practice could be at risk for violations of the Security Rule if you:

  • have electronic health records;
  • have not conducted a risk analysis; and
  • are audited or investigated for compliance with HIPAA.

While the Security Rule does not prescribe a required methodology for a risk analysis, below are three options to consider.


One simple way to start is to print a copy of the HIPAA Security Matrix, found on pages 10-11 of Security 101 For Covered Entities available at:

Physicians, office staff, and IT support personnel can make notes in the margins of what they are currently doing and what may need work. Notes should be maintained in an easily retrievable format. Options include a three ring binder or a shared folder on the network.


The second option is based on HIPAA Security Series #6 – Basics of Risk Analysis and Risk Management. The steps below provide a guide for physicians and key staff to conduct a risk analysis. For each step, the publication provides more details on calls to action.

Step 1. Identify the scope of the analysis

Step 2. Gather data

Step 3. Identify and document potential threats and vulnerabilities

Step 4. Assess current security measures

Step 5. Determine the likelihood of threat occurrences

Step 6. Determine the potential impact of threat occurrence

Step 7. Determine the level of risk

Step 8. Identify security measures and finalize documentation (1)

More information can be found at:


A comprehensive risk assessment flow chart can be found in the publicationRisk Management Guide for Information Technology Systems. (2)

Many other risk analysis options exist, including using consultants and attorneys who specialize in HIPAA Privacy and Security. The option you choose should be based on the best solution, time, knowledge, and resources available.  

TMLT has developed an additional resource for physicians: a privacy and security toolkit, which includes customized service proposals to assist practices with risk analysis. For a copy of the toolkit, contact Stephanie Downing at 800-580-8658, extension 4884.


  1. U.S. Department of Health and Human Services. HIPAA Security Series - #6 Basics of Risk Analysis and Risk Management. Available at Accessed January 2, 2013.
  2. National Institute of Standards and Technology. Risk Management Guide for Information Technology Systems by the National Institute of Standards and Technology (NIST). Available at Accessed January 2, 2013.

About the Author

Cathy Bryant

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Manager. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at

Visit Website More Content by Cathy Bryant
Previous Article
Privacy and security compliance — An ongoing process

As HIPAA rules and protocols change, you must review your existing policies and processes to determine if t...

Next Article
New Texas privacy laws more stringent than HIPAA — Requirements take effect September 1, 2012

Case examples that describe how the new Texas privacy laws will affect physicians.