Does Your HIPAA Risk Analysis Tool Protect Your Practice?

Fourth quarter signifies more than a countdown to the holidays, many healthcare organizations are met with the realization that it is time to complete HIPAA risk analysis in order to comply with MACRA – MIPS. Of course, HIPAA risk analyses are nothing new, practices should be conducting  them regularly,  in light of the HIPAA Omnibus Rule which gave teeth to the regulations and made  an annual HIPAA risk analysis a requirement for every healthcare organization.

Recently, I was recently reading a blog post by HIPAA One called “Not All Risk Analysis Tools Created Equal” and it made me think about the requirements for a bona fide risk analysis. I realize that HIPAA One provides a risk analysis solution and therefore, approaches the conversation as a vendor would, however, they are also deeply embedded in the HIPAA risk assessment world and have a unique understanding of what’s happening.

I’ve seen first-hand the principle they describe in the post with many medical practices. Most medical practices are so overwhelmed  with the daily grind of dealing with staff issues, schedules, billing, supplies, etc that it’s hard for them to distinguish between a high quality risk analysis tool and one that was built 3 years ago and hasn’t been updated since then.

In HIPAA One’s blog post they offered a list of what you should look for in a HIPAA risk analysis solution and I think this is a great  starting point for any organization that needs a tool or is evaluating their existing tool:

  1. Industry-Certified Auditors on Staff – Verify the vendor has:
    1. Auditors who are certified professionals, such as CHPS, CISSP, HCISPP, CISA, etc. and
    2. Previous experience responding to AND PASSING government and private-sector audits.
  2. Compliance Gap-Assessment – This assessment determines if your workplace meets each of the HIPAA requirements as selected the Office for Civil Rights’ (OCR) HIPAA Audit Protocol.
  3. Mock-Audit – Put your money where your mouth is. If your workplace maintains HIPAA compliance, prove it with proper supporting documents and examples per the OCR’s HIPAA Audit Protocol.
  4. Risk Analysis –Bona Fide security risk analysis which digs into any non-compliant areas along with a calculation tool that addresses which gaps are low, medium or high risk to the organization using NIST-based methodologies (i.e. at minimum NIST800-30 rev1 and NIST 800-53 rev 4).
  5. Remediation Plan – This documented plan answers the questions: “Who will do what by when” in regards to remediating gaps in compliance.
  6. Final Report – Key deliverable proving compliance with HIPAA security risk analysis.
  7. Ongoing Tracking – Track the resolution of those gaps in compliance by proving due diligence in the event of an audit.
  8. Periodic Re-evaluation – Each year take a new “snapshot” performing steps 2-6 on any changes that happened from the previous year.

The item on this list that I see fall short in many solutions and services on the market today is the remediation plan. It’s amazing how many tools only account for a risk analysis, and do not provide any guidance on creating remediation plans for any risks you find. That’s a big deal and could leave you in trouble if your practice is ever audited and hasn’t remediated any of your security deficiencies .

The good news is that HIPAA risk analysis tools have come a long way over the years. ]  Much like you need to make sure EHR vendors are updating and improving their systems to meet your needs and comply with changes in government regulations, the same is true with HIPAA risk analysis tools. Make sure you take the time needed to ensure the quality of the tools and services you’re using. Ignorance is not bliss when a HIPAA audit occurs.

Note: HIPAA One is a Healthcare Scene sponsor.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • As I do HIPAA security risk assessment I have to say that these assessments get 0% weight on the MACRA/MIPS scale. They’re a check-off and carry no urgency. Add this to the already financially encumbering amount of regulations and data collection that single and small practices have to do to get Medicare funds for caring for patients. I’m not against risk assessments, they are essential to protect patient health information. But, the essential doesn’t reverberate all along the lines of the compliance ladder. It would be similar to having your car inspected yearly, having the mechanic shove a hose in the exhaust pipe, wait 30 seconds and they hand you a spanking you inspection sticker. That sounds wonderful until your brakes fail and your tires fall off. I’m not suggesting increasing penalties, being violated and having your data marketed by theives is penalty aplenty, unless the practice is CARELESS. Given the criteria above, what’s a reasonable market price for all that alphabetic talent when the risk assessment is a 0 in MACRA/MIPS?

  • Barry,
    I’ve found that people are doing the risk assessment because of MACRA/MIPS, but I agree that those regulations don’t push them to do a proper risk assessment. I’m arguing here that just doing a half baked one using a bad tool is a really bad idea for your practice and will come back to bite you. As they say, an ounce of prevention is much cheaper than paying the penalties later.

  • John, They do the SRA because it is a component of MACRA/MIPS. My question is, if the assigned weight of the SRA is 0 and the tool is < 0, why should a practice go and conduct a full scale assessment or audit? As you state and I agree it's an ounce of prevention, but I would argue that prevention is on-going and there is no incentive for a single doctor, doing their own IT, to work prevention in full. An annual risk assessment may be required as the letter of the law, I would like to see more spirit.

Click here to post a comment