HIPAA Security Risk Assessment

Protecting electronic protected health information (e-PHI) from data breach, theft, and misuse has never been more essential.

The Administrative Safeguards of the HIPAA Security Rule require covered entities and their business associates to conduct a periodic risk analysis as part of their security management program. Specifically, Section 164.308 (ii) (A) reads as follows:

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

While no specific timeframes are mandated, the intent of the requirement is that risk analysis should be an ongoing process in which the covered entity or business associate periodically evaluates the effectiveness of existing security measures and regularly reviews potential risks to e-PHI. It has become generally accepted practice to perform HIPAA security risk assessments on an annual basis.

Our process.

When conducting a HIPAA security risk assessment, Agio performs an initial “gap analysis” between our client’s current state and the requirements in the HIPAA Security Rule. This process includes an evaluation of all controls including policies, procedures, and technical safeguards.

Our comprehensive HIPAA security risk assessment also identifies existing vulnerabilities in the IT infrastructure, including physical access levels by personnel and third-party vendors. Potential threats to the confidentiality and integrity of e-PHI, as well as to the access and availability of systems, applications, devices, and databases will be enumerated and evaluated. While not explicitly required, we believe a comprehensive penetration test should be conducted to identify risks and effectively validate controls.

The risk analysis includes:


We evaluate the likelihood and impact of potential risks to e-PHI.


We recommend appropriate security measures to address the risks identified.

Corrective Action Plan

We document the recommended security measures and the rationale for adopting those measures.

Security Protections

We determine the reasonable and appropriate security protections that need to be implemented, continuously maintained, and regularly reviewed.

Trending resources.

Healthcare cybersecurity governance

HIPAA Safe Harbor Bill Becomes Law & Incentivizes Security

Read More
Cyber insurance

No Detection and Response? No Cybersecurity Insurance.

Read More

Can Your Employees Handle an Attack Every 11 Seconds?

Read More

Connect with us.

The Agio Vision

This is the heading content

This is the text content


Agio Academy
(function(d,b,a,s,e){ var t = b.createElement(a), fs = b.getElementsByTagName(a)[0]; t.async=1; t.id=e; t.src=s; fs.parentNode.insertBefore(t, fs); }) (window,document,'script','https://tag.demandbase.com/0825d0a2.min.js','demandbase_js_lib');