The Health Insurance Portability and Accountability Act (HIPAA) requires every Covered Entity (CE) and their Business Associates (BA) that “handle” Protected Health Information (PHI) or electronic Protected Health Information (ePHI) to conduct/complete an annual Risk Analysis.

Section 164.308(a)(1)(ii)(A) of the HIPAA Security Rule states:


Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information held by the [organization].

If you are not conducting an annual (Security) Risk Analysis you are in violation of the HIPAA Rule and are subject to fines and penalties. Moreover, you are not aware of the multiple vulnerabilities and weaknesses within your organization.

Examples include:

  • The software and applications containing ePHI that are being used: who has access, who monitors users, is this data secure (not if Dropbox or Google calendars are used).
  • Have new Business Associates been added or have companies changed names? Have the Business Associate Agreements been updated with both the CE and BA signatures?
  • Were old hard drives from computers, medical devices, and leased copiers properly disposed of – all of which will have ePHI?
  • Are physical security measures in place for the server room and/or medical charts? Are there security cameras and alarm systems; back doors unavailable or left unlocked?
  • Is HIPAA, Information Security training completed with ALL employees regularly, and not just a “once and done,” is all training documented?

Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.

Have a great week!