Risk analysis and management is a core section of the HIPAA Privacy and Security Rules. It involves both an initial assessment to categorize and determine risk and ongoing analysis to track how risks and environments have changed and whether current policies are still appropriate.

The Risk Assessment is important because it helps create a ground level of compliance within an organization, and documents what the starting point is. By looking at every requirement of HIPAA you can note where there are gaps in your organization. Then policies and procedures can be drafted that addresses these gaps. Further periodic analysis can track these concerns and ensure that your practice is making progress on addressing them or closing the gaps entirely. Beyond tracking compliance, a periodic assessment is vital because the environment around your healthcare practice is always changing. Technology advances swiftly, but even your physical environment might change with a move to a new building, building an extension, changing building security or moving a desk. All these things could affect the physical safeguards needed in your organization to protect PHI and ePHI.

Never carrying out a risk assessment is a direct violation of HIPAA and has been the cause for levied fines, but even waiting too long between analysis can cause problems. For instance, a period of three years can see operating systems leave active support, hardware become compromised, entire software companies bought or sold or closed, new technology implemented and old technology made obsolete. What was compliant on the last analysis could be woefully negligent now, and ignorance does not excuse a violation.

Healthcare Technology Advisors recommends a yearly risk assessment, to be carried out by an impartial third party. This way ongoing security concerns can be tracked and improved, while making sure that new gaps are documented and addressed. HTA offers security risk analysis services if your practice is in need of one.