CMS’ HIPAA Risk Analysis Myths and Truths

I’ve been writing about the need to do a HIPAA Risk Assessment since it was included as part of meaningful use. Many organizations have been really confused by this requirement and no doubt it will be an issue for many organizations that get a meaningful use audit. It’s a little ironic since this really isn’t anything that wasn’t already part of the HIPAA security rule. Although, that illustrates how well we’re doing at complying with the HIPAA security rule.

It seems that CMS has taken note of this confusion around the HIPAA risk assessment as well. Today, they sent out some more guidance, tools and resources to hopefully help organizations better understand the Security Risk Analysis requirement. Here’s a portion of that email that provides some important clarification:

A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.

For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014. Fore more information, read this FAQ.

Please note:
*Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
*In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.

CMS also created this Security Risk Analysis Tipsheet that has a lot of good information including these myths and facts which address many of the issues I’ve seen and heard:
CMS HIPAA Security Risk Analysis Myths and Facts

Finally, it’s worth reminding people that the HIPAA Security Risk Analysis is not just for your tech systems. Check out this overview of security areas and example measures to secure them to see what I mean:
CMS HIPAA Security Risk Analysis Overview

Have you done your HIPAA Risk Assessment for your organization?

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Hi John.

    Thanks for a great post. This is a great summary and provides quick reference to a lot of important information. I forwarded to the pertinent folks in our network because I though it would be a good refresher.


  • Thanks Kalan. Glad you found it useful. I found the myths and facts answered a lot of questions I had and confirmed many of the answers to things I’d heard. I appreciate you sharing it.

  • In a world where HIPAA confusion abounds, John leads the industry in taking complex concepts and distilling the information into simple and easy to understand ideas that can be put into practice by any provider. What a wealth of information!

    Keep up the good work!

  • Thanks Bobby. I appreciate the kind words. We do what we can to contribute to the conversation. Although, I can’t take too much credit for the above. I just found it and shared. Thanks to CMS for providing something that’s simple.

  • Like taxes, financials and proof reading your term papers, you generally want a “fresh set of eyes” to accomplish your risk assessment.

    “Of course you’d say this, John, this is what you do…”.

    True, but if 80% + of the practices I looked at got it right…heck, even got close to understanding what they need to do, I’d agree.

    Think about if for a moment:
    You are piling all of your PHI into one place. Once screw-up could actually fine you out of business. Most of your staff are so uninformed about safe computer use, it’ll make your hair hurt.

    Computer security has become a big thing for you now.

    I’d also like to point out this:
    “In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.”
    is NOT an excuse to skip risk assessments.

    You’d be hard pressed to argue with an HHS auditor that you had zero changes to your EHR or computer system over a years period.

Click here to post a comment