Importance of HIPAA Risk Assessment

Aug 13, 2020 1:00:00 PM / by Joy Youell

In 2019, the average HIPAA penalty cost $1,227,400 in fines. A HIPAA risk assessment essentially tests the security infrastructure of a medical center. The risk assessment will detect vulnerabilities and threats. Utilizing a risk assessment of your healthcare security system will alert you to the areas of security that you need to strengthen. Completing the mandatory HIPAA risk assessment could help you avoid a costly fine. 

Read this article to find out more about HIPAA compliance tools, risk assessment costs and benefits as well as a handy checklist and template. 

HIPAA Compliance Risk Assessment Benefits

There are so many benefits to being HIPAA compliant at your practice or medical center. The main importance of HIPAA is that it protects patients. Patients have little control of what happens with their ePHI. When medical centers are HIPAA compliant, patients feel better about providing information. These include:

  • Promotes the idea that protecting patient information is just as important as protecting patient health
  • Sets standards for security and privacy in healthcare
  • Reduces liability for organizations and staff
  • Encourages the production of new security technology
  • Reduces errors
  • Increases patient trust and satisfaction

Risk Assessment Cost

While HIPAA audits may be pricey, they are worth it to avoid even pricier fines. There are different kinds of HIPAA risk assessment audits, each with different price points. Here are the most common:

  • Full HIPAA Audit: these will check HIPAA compliance to ensure that you are following requirements. 
  • Gap Assessment: this assessment will check for threats and vulnerabilities in your current system.
  • HITECH Assessment: these specifically assess your HITECH Subtitle D compliance.
  • Security and Privacy Audits: this type of audit will check the safeguards of your security and privacy systems. 

Each of these audits typically range from $20,000 to $60,000. There are companies who will complete more comprehensive audits for higher prices. These will be between $60,000 to $120,000. Risk assessments may constitute a large chunk of a medical center’s budget, but it is completely necessary to avoid security breaches and even larger losses. 

Risk Assessment Template

When completing a risk assessment, it is important to include all elements to ensure that you comprehensively check your systems. Here are the components that you should include in your risk assessment template and questions you can ask yourself as you go along:

  • Assess security measures: test current security measures by running them through audits and exercises. 
  • Data collection: you will want to collect and compile data from audits and tests to include in your risk assessment.
    • Did you pass/fail?
  • Identification of threats and vulnerabilities: doing this helps you write a HIPAA policy continuity plan later on in the process where you can address solutions to vulnerabilities. 
    • How can your health system security improve?
    • What information is most at risk? Financial information? Health records?
  • Determine probability of threats: it is important to include how probable it is that protected health information could be stolen or attacked in your HIPAA risk assessment.
    • Are you a small or large practice/healthcare center? 
    • Are you located in a rural or urban area?
    • How well-known is your healthcare center?
  • Determine impacts of threats: when determining the probability of threats, you should also try to determine how badly these possible threats could affect you and your patients.
    • If your healthcare system is attacked, how much money could you lose?
    • How many patients would be negatively impacted?
  • Documentation of all audits and plans: as you go through audits and assessments or create plans and policies, make sure you document them all in your HIPAA risk assessment report

Continue reading for a comprehensive HIPAA risk assessment checklist.

HIPAA Risk Assessment Checklist

If you are unsure of where to start assessing your practice for risk, take a look at this checklist which has been adapted from the HIPAA Compliance Checklist

  • Complete and keep documentation for the following required annual audits and assessments.
    • Security Standards
    • Asset and Device
    • Physical Site
    • Security Risk
    • Privacy 
    • HITECH Subtitle D
  • Identify vulnerabilities and issues uncovered by the above assessments.
  • Create and document remediation plans that will address issues.
  • Conduct annual staff member HIPAA training.
  • Ask employees to complete security awareness training.
  • Create emergency plans.
    • Ensure that all ePHI are being backed up.
    • Test the emergency plans.
  • Assess ePHI encryption.
  • Monitor access of ePHI logs.
  • Develop policies regarding secure disposal of protected records.
  • Develop policies of secure patient access to protected health records.
  • Create a Notice of Privacy Practices.
  • Identify all business partners and vendors.
  • Develop plans for security breaches. 

HIPAA Compliant Management Tools

There are many HIPAA compliant management tools that you can use to take your practice to the next level. One of these is DocClocker. DocClocker is a waiting room management program that increases the efficiency and productivity of doctors offices. Here are some of the useful services that DocClocker provides:

  • Remote check-in
  • Real-time wait times
  • Automated messages
  • Online appointment booking
  • DOC-OR: Operating room updates
  • Patient notes
  • Reviewing platform
  • Doctor locator and profile creator

Go to to learn more. 


Tags: Digital healthcare, Healthcare news, Medical health, Healthcare app, Medical app, Digital medical

Joy Youell

Written by Joy Youell

Joy Youell writes about IT healthcare, digital medical innovations and improving patient experiences for DocClocker.