What is a HIPAA risk assessment?
The objective of a HIPAA risk assessment is to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all protected health information (PHI) that an organization creates, receives, maintains, or transmits.
The U.S. Department of Health & Human Services (HHS) does not specify a particular risk analysis methodology because covered entities and business associates vary in size, complexity, and capabilities. To meet the objective of a HIPAA risk assessment, HHS suggests an organization should:
HIPAA risk assessments are not a one-time event; they require periodic reviews when introducing new technology or implementing new work practices.