HIPAA risk assessments are documented evaluations used to identify and address risks to protected health information, including the HIPAA Security Rule required risk analysis for electronic protected health information and the HIPAA Breach Notification Rule required assessment used to determine whether an impermissible use or disclosure of unsecured protected health information constitutes a reportable breach.
The HIPAA Security Rule risk analysis is an administrative safeguard that requires a Covered Entity or Business Associate to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held in its environment. The assessment should inventory where electronic protected health information is created, received, maintained, or transmitted and map the systems, devices, applications, networks, and workforce workflows involved. The risk analysis should evaluate reasonably anticipated threats, existing security measures, and the likelihood and potential impact of adverse events, including unauthorized access, malware, misconfiguration, device loss, improper disposal, and service provider failures. The output should support a risk management plan with documented remediation actions, assigned responsibility, and timelines, and it should be updated when there are material changes to technology, operations, or threats.
A separate risk assessment is required under the HIPAA Breach Notification Rule when an impermissible use or disclosure of protected health information is identified. This assessment evaluates whether there is a low probability that the protected health information has been compromised by considering specified factors, including the nature and extent of the protected health information involved, the identity of the unauthorized person who used or received the information, whether the information was actually acquired or viewed, and the extent to which the risk has been mitigated. If a breach of unsecured protected health information is determined, notification duties apply to Covered Entities and Business Associates under the HIPAA Breach Notification Rule, and documentation should support the determination and any notifications issued.
The term risk assessment is also used in HIPAA Privacy Rule operations to support safeguards and compliance documentation, but the HIPAA Security Rule risk analysis and the HIPAA Breach Notification Rule assessment are distinct activities with different triggers and outputs. Security risk analysis supports ongoing safeguard selection and implementation across systems and workflows that handle electronic protected health information. Breach assessment supports incident decision-making after an impermissible use or disclosure and should be integrated into incident response procedures, workforce training, and vendor reporting processes.