Datica Blog

Assessment Series: HIPAA Risk Assessment

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

June 9, 2015   Company

All organizations that are responsible for PHI, which includes hosting providers like Datica, are mandated to conduct a HIPAA risk assessment as the first step toward integrating preventatives stipulated in the HIPAA Security Rule by The Department of Health and Human Services, and ultimately attaining true HIPAA compliance.

So what does a HIPAA Risk Assessment require?

The Department of Health and Human Services has defined nine necessary constituents of a HIPAA risk assessment that all healthcare and healthcare-related organizations that store or share ePHI must include in their assessment document:

  1. Assessment Scope - Inclusive of any and all potential risks and susceptibilities to the privacy, procurability, and morality of ePHI. Organizations should be inclusive of electronic media that is utilized such as portable devices, networks, and desktops. If there are multiple sites, it is important to include the network security between them in the scope; this includes your hosting terms with third-parties or business associates.

  2. Data Reserve - Where is the data being stored, collected, conserved or transmitted?

  3. Specify and Record Latent Risks and Susceptibilities - Predicting future HIPAA violations can really help your organization rapidly and effectively find a resolution.

  4. Evaluate Existing Security Measures - This will include any encryption, two-factor authentication, and all other security methods that your HIPAA hosting provider has put in effect.

  5. Evaluate the Feasibility of a Risk Occurring - In association with #3, this will accurately estimate the possibility of an ePHI breach.

  6. Evaluate the Impact a Risk Occurrence Could Have - Assess how many people could be affected and the level of PHI that could be exposed, inclusive of health information and billing information.

  7. Assess the Level of Risk - The Department of Human and Health Services recommends taking #5 and #6 to establish the level of risk. When documenting these risk levels, accompany with them a list of actions that would be performed in a mitigative response.

  8. Prepare Documentation - There are no parameters around documentation formatting but the assessment must be in writing.

  9. Regular Reviews and Updates to HIPAA Risk Assessment - It is crucial that the assessment is ever ongoing. It is recommended that a new assessment is taken whenever new processes, technologies, or operations are introduced into an organization.

Curious how we at Datica do our HIPAA Risk Assessment?

Check out our Datica HIPAA Docs for further detail on how we ensure HIPAA compliance.


If you haven’t heard of Zipnosis yet, you’re missing out on some of the latest, greatest, and most convenient innovations to modern mainstream medicine.

Next Post

Datica’s telehealth business partners leverage our HIPAA expertise to ensure they never have to pay a fine due to a HIPAA violation.