The Importance of Conducting a HIPAA Risk Assessment

magnifying glass on risk assessment charts

Conducting HIPAA Risk Assessments is more important than ever before. As a health system, you are responsible for protecting your organization’s information as well as the information of the patients you serve. It is increasingly important for organizations to be aware of the potential Risks, know the Questions to ask, and have appropriate Solutions to any information security challenges.


It is important to stay up-to-date on the types of HIPAA security risks your organization is facing in order to minimize the potential for:

  • Increased exposure to data breaches and data loss
  • Greater risk of downtime due to security incidents
  • Monetary and Civil Penalties

The penalty structure is tiered, based on the knowledge a covered entity had of the violation. The OCR will set the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

In addition to civil financial penalties, a HIPAA violation can result in criminal charges being filed against the individual(s) responsible for a breach of PHI. Criminal penalties for HIPAA violations are divided into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each individual case.

  • Meaningful use funding penalties

Ignorance of HIPAA Rules is no excuse for a rule violation. In cases with willful neglect of HIPAA Rules, the maximum fines apply.


Here are the questions you can ask to determine if your organization needs a HIPAA Risk Assessment.

  • When was your last annual risk analysis performed? (The HIPPA law requires one Risk Assessment Annually)
  • Do all of my systems require a password?
  • Do all of my systems require users to reset their password every 90-120 days?
  • Do my systems timeout after a certain amount of time of inactivity?
  • Are all of my laptops encrypted?
  • Do I have a Business Associate Agreement with “every” vendor that might access ePHI? – Can I find them?
  • Do all new employees go through HIPAA training?
  • Are all of my PC’s patched?

If you don’t know the answer, you need a HIPAA Risk Assessment.


Working with a 3rd party on a HIPAA Risk Assessment can ensure that your organization is compliant with the latest standards and your patients records are kept safe. QHR provides the following benefits to help health systems achieve compliance and keep patient records safe:

  • Up to 20 hours of interview sessions with key staff on-site
  • Independent 3rd party to review your environment
  • Review of all HIPAA IT Security Policies and Procedures
  • Gap Analysis of policies and actual performance
  • A thorough assessment of the IT security configuration at the hospital and connected facilities
  • A software tool that searches devices for vulnerabilities
  • HIPAA IT Risk Assessment document, including results of a network penetration and vulnerability test, meeting the requirements of the HITECH Act and Meaningful Use requirements
  • (3) Quarterly updates, including up to (2) hours of off-site technical review per quarter

Learn more about QHR’s approach to HIPAA IT Security Risk Assessment service.