The document outlines a 5-step process for conducting a HIPAA risk analysis, focusing on identifying the flow of protected health information (PHI) and assessing top security measures against identified risks. It emphasizes the importance of regularly repeating the analysis and documenting each step to ensure ongoing compliance. Assistance for conducting the analysis is also offered through provided contact information.

1. THE 5-STEP
HIPAA RISK
ANALYSIS
The foundation of your patient security strategy
Define scope by defining protected health information (PHI) flow
Identify where
PHI enters your
environment.
Identify what
happens to PHI as
it resides in your
environment.
Identify what
happens to PHI
when it leaves
your environment.
STEP 1:
Identify top security measures based on top HIPAA risks
Implement security
measures.
Identify the security
measures that fix
each problem.
Look at your
top-ranked risks.
STEP 4:
Rinse and repeat
That’s how to
conduct a HIPAA risk
analysis! Repeat this
process periodically
(at least annually).
Document steps
1-4 to prove you’ve
completed a
thorough HIPAA
risk analysis.
After identifying
top-ranked risks,
repeat step 4 for
medium and low
risks.
STEP 5:
Need help with your HIPAA risk analysis?
HIPAA@securitymetrics.com | 877.364.9183
© 2015 SecurityMetrics
Identify vulnerabilities, threats, and risks to your patient data
Identify risks
(combination of
threats+vulnerabilities
that could impact
your organization).
Identify threats
(potential for a
person or thing
to trigger a
vulnerability).
Identify
vulnerabilities
(flaws in components,
procedures, design,
implementation).
STEP 2:
Analyze HIPAA risk level and potential impact to your organization
Assign each
vulnerability and
associated threat a
high, medium, or
low risk level.
Determine
potential impact to
your organization.
Determine
likelihood of risk
occuring at your
organization.
STEP 3: