Blog Home Page Next article:

HIPAA Understood: Rule 164.308(a)(1)(ii)(A) Risk Analysis

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.


This week we will discuss risk analysis as it pertains to HIPAA, and how to achieve compliance with the HIPAA Rule:

“164.308(a)(1)(ii)(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

As with every regulatory rule they are not easily digested, and their requirements are not always clear, get used to this type of verbiage and know that things are usually simpler than they first appear.

The gist of this rule is that a risk analysis needs to be performed and it must include in its scope all areas where PHI/ePHI is stored, processes, and/or transmitted.  Now when most people hear risk analysis they tend to overthink and over complicate the process which ultimately leads to missing information or simply not performing the task.  There is no need to over complicate this, the process can be as simple as meeting with key members of the organization to document the potential risks that affect the confidentiality, integrity, and availability of your PHI/ePHI. If this method does not work for your organization then pick one that does, the bottom line is you need to have a method for identifying risk. Once you have identified these risks you should assign each of them a risk rating which is based on the likelihood that the risk will occur and the impact it would have on your organization.

As will all things HIPAA you need to document this process, or it didn’t/doesn’t happen. Since HIPAA does not specify a timeline for ensuring this occurs, we revert to best practice which dictates that a risk analysis should occur annually. The previous year’s risk analysis results should be used as part of the current year’s risk analysis.