The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires this annual assessment to be in compliance, and for good reason. It evaluates the organizational risk associated with ePHI (electronic Protected Health Information) security, and it informs the prioritization of investments to maximize the reduction of that risk.
While the US Department of Health & Human Services does not spell out a particular methodology for an approved risk assessment, it does provide a clear objective: to identify potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that an organization creates, receives, maintains or transmits. Due to the lack of prescriptiveness for the HIPAA Risk Assessment itself, it’s temptingly easy to go with an approach that simply “checks the boxes” and call it good. But with healthcare being a favored target of bad actors chasing lucrative ePHI, and stiff penalties when a breached organization that “Did Not Know” or showed “Willful Neglect” is deemed non-compliant, a more thoughtful approach is the way to go.