What a HIPAA Risk Analysis includes and why you need it for your cybersecurity risk management.


CReMaT’ed – Create, Receive, Maintain, Transmit

CIA – Confidentiality, Integrity, Availability


JPP Medical Record

OCR Guidance on Risk Analysis

Training Documentation for this episode


Kardon Compliance


Not a simple checklist it requires a lot of thought, data collection, and analysis.

The analysis part

  • Define where e-PHI is CReMaT’ed in your organization.
    • Not just the server that holds the EMR.
    • Cloud apps used, messaging tools, mobile devices, USB storage devices, home computers
    • Practice Management system and data analysis tools
    • Don’t forget to include downloads folders and temp folders on all PCs.
  • Do you need to worry about vendors or consultants – your BAs that may move data around your network, systems, etc.
    • If they handle it for you do you even know where it is going?
  • What are the threats to the CIA of the PHI that you have located and identified above?
    • Human
    • Natural
    • Environmental
  • What would be the impact to your business if the threat did act against your PHI?
    • Would it be a bump in the road or a sinkhole?
  • What is the likelihood this threat will actually act against your PHI?
    • Very likely down to not likely at all
  • With all this considered what level risk do you think this threat creates to your PHI?
    • High, Medium, or Low
  • Based on everything you know then you decide what you are going to do about the threat and the risk it presents?
    • Accept the risk is just part of doing business
    • Address the risk with some type of safeguards in your organization
    • Outsource the risk by hiring another company to handle managing it for you


The assessment part

  • At this point, you review that plan you have just made to address risks against what you are actually doing
    • Are doing everything you can to protect the PHI and meet your obligations under HIPAA laws from all those threats?
    • If you are outsourcing threat management, have you made sure your BAAs are in order?
    • If you are handling it internally do you have all the written policies and procedures
    • Is your staff trained to respond accordingly?
  • Once you complete that process you draw up your final report on what was determined during your analysis and assessment.
    • What actions need to take place to address those threats and what priority should be applied to them?

This is your full analysis and assessment report that you will use to inform your decision making process for your security policies and procedures.

It is also the report you will review and update on a regular basis. Sometimes minor updates are needed but other times you will need to do most of the whole thing over if there is a major change in your business.