What's Required For An Annual HIPAA IT Risk Assessment?


For 13 years running, the most expensive data breaches recorded have been in the healthcare industry.

According to IBM’s Cost Of A Data Breach Report 2023, the average cost of a healthcare data breach was $10.93 million, more than double the overall average cost of a data breach at $4.45 million. 

What’s more, healthcare data breach costs have risen 53.3% since 2020. 

“Healthcare faces high levels of industry regulation and is considered critical infrastructure by the US government,” the report states.

A compromised record is defined in the report as “information that reveals confidential or proprietary corporate, governmental or financial data, or identifies an individual whose information has been lost or stolen in a data breach.” 

The report goes on to provide examples of compromised records:

  • An individual’s name or credit card information
  • Other personally identifiable information
  • A health record with the policyholder’s name and payment information.

Beyond the cost of remediating the breach, healthcare organizations may be subject to fines from the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

The OCR received more than 360,000 complaints between April 2003 and May 2024, resolving more than 99 percent of them

To help keep your healthcare practice in compliance with HIPAA, you’ll need to conduct an annual HIPAA security risk assessment. 


What Is A HIPAA Risk Assessment? 

Among other provisions, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that healthcare providers and organizations adopt federal protections for protected health information (PHI). 

A HIPAA risk assessment, then, helps these organizations ensure it’s compliant with HIPAA’s administrative, technical, and physical safeguards by identifying vulnerabilities, mitigating risks, and ensuring the protection of PHI.

These assessments must be conducted by covered entities, such as healthcare providers, insurers, and business associates. 


5 Key Components Of A HIPAA Risk Assessment

A HIPAA risk assessment typically features five key components. 


1. Data Collection

First, identify what data needs to be collected as part of the assessment process, including PHI and electronic PHI (ePHI).


2. Identify Potential Threats and Vulnerabilities

Organizations must also identify and document vulnerabilities and other potential threats facing the organization concerning PHI. 

Common threats include cyberattacks and unauthorized access, while common vulnerabilities typically include outdated software and a lack of encryption. 


3. Assess Current Security Measures

Once threats and vulnerabilities have been identified, assess what security measures are currently in place and evaluate their effectiveness. 

For example, are policies and procedures documented? 

What users have access to which information?

Are employees trained on security awareness regularly?  


4. Determine the Likelihood and Impact of Threats

Then, determine the likelihood that an incident occurs based on the threats and vulnerabilities. 

For instance, IBM’s Cost Of A Data Breach Report 2023 found that the two most common attack vectors are phishing and stolen or compromised credentials. 

The likelihood of these threats (and more) and their impact should be considered in the risk assessment. 


5. Risk Mitigation Strategies

Finally, risk mitigation strategies should be evaluated. 

For example, does the organization need to implement new security measures? 

And, what existing security measures should be enhanced? 

4 Common Challenges For HIPAA Risk Assessments And How To Overcome Them

Organizations face a variety of challenges in completing their annual HIPAA risk assessments. 

Here are the most common ones we see. 


1. Lack of Resources

Organizations may have limited resources to complete their risk assessments, such as staff and budget constraints. 

If an organization only has one or two IT people on staff, it could burden their workload at the expense of other tasks they need to complete. 

Organizations may elect to complete a downloadable HIPAA Security Risk Assessment tool to help guide them through the process. 


2. Keeping Up With Technology

What’s more, internal IT resources that are already stretched thin may miss the latest evolving technology and threats. 

It’s challenging to stay on top of everything as a small team. 


3. Complexity of Regulations

HIPAA is complex and its language can be misunderstood. 

For PHI, HIPAA has two key basic provisions:

  1. HIPAA Privacy Rule - Requires protected health information to be covered in any medium.
  2. HIPAA Security Rule - Requires electronic protected health information to be covered.

However, the regulation and compliance requirements are much more nuanced. 


4 Benefits of Regular HIPAA Risk Assessments

HIPAA suggests risks are subject to periodic review and updates, but doesn’t explicitly guide how often risk assessments should be conducted.

We generally recommend a best practice that healthcare organizations complete an annual risk assessment. 


1. Enhanced Security 

A regular review of HIPAA safeguards will result in the improved protection of PHI, mitigating the risk of a breach. 


2. Regulatory Compliance

Further, we’ve already learned that the OCR has pursued hundreds of thousands of complaints. 

They’ve also imposed penalties of more than more than $142 million for 145 cases—almost $1 million per fine. 

As a result, businesses that maintain compliance can avoid the cost of repairing a data breach and the regulatory penalty that could come with it. 


3. Trust and Reputation

Safeguarding the PHI of an organization builds trust with patients and partners, demonstrating a commitment to data security.

Many U.S. consumers are quick to abandon a brand after it experiences a data breach—Vercara found that “75 percent of consumers (expressed) their readiness to sever ties with a brand in the aftermath of any cybersecurity issue.” 


4. Operational Efficiency

By identifying and addressing inefficiencies in security protocols—especially as current threats evolve and new threats emerge—an organization should become more productive.

Plus, many organizations struggle with finding a partner to conduct a risk assessment before the end of the year. 

Doing so earlier in the year allows the staff or the partner to provide a more thorough review, allowing organizations to achieve compliance on time. 


The Role Of Managed IT Services In HIPAA Compliance

We’ve found it’s best to come alongside a smaller existing IT team within an organization. 

A managed IT service provider can provide external expertise and support, ongoing monitoring, and an overall cost savings. 


Expertise and Support

Earlier, we mentioned that internal teams may not have the expertise or availability needed to support their practice. 

Partnering with a managed IT service provider instantly brings those factors to the organization. 

MSPs are continually providing risk assessments for their clients, so they can easily identify gaps and make the recommendations required for compliance. 


Ongoing Monitoring and Updates

We’ve already seen how healthcare records are the most sought after by bad actors. 

A managed IT service provider can be a resource for continuous monitoring and updating, freeing up internal IT staff for other initiatives within the business.  


Cost-Effective Solutions

Oftentimes, our analysis shows that working with an outsourced IT provider saves a practice money. 

Not only can employee headcount stay low, but an outsourced partner has the resources required for business continuity. 

If, for example, an employee leaves one day, the partner can pick up where that employee left off. 


Final Thoughts

HIPAA risk assessments should be a continual piece of the IT landscape—healthcare records are constantly under attack because they’re the most valuable for bad actors. 

Even though regulatory compliance is the main driver of performing these assessments, we believe that maintaining compliance with HIPAA is the most secure, cost-effective, and efficient solution when compared to detecting and responding to a data breach.

Consider partnering with a healthcare IT support partner like Integrity for your next HIPAA assessment.

New Call-to-action

Read On