Performing a Risk Assessment

Getting Started with Your Risk Assessment

So, you're ready to get started. Start by gathering everything you need to perform a risk assessment:

Step 1. Assemble HIPAA Risk Assessment team

  • Privacy / Security Officer / Office Manager / Practice Administrator

  • IT Staff member

  • CEO / Physician / Practice Owner

Step 2. Gather, review and be familiar with existing policies, processes and procedures pertaining to HIPAA and Information Security / Privacy

Step 3. Create an inventory of Software, Hardware, Business Associates and their contracts, Physical Records, and Facilities

Step 4. Document HIPAA Risk Assessment program

  • Project Plan

  • Policies, Processes, Procedures

  • Training

  • Resources

  • Personnel

  • Reports

Step 5. Perform HIPAA IT Risk Analysis and associated Mitigation Plans

  • Software

  • Hardware

  • Physical Records

  • Facilities

  • Business Associates

Step 6. Perform HIPAA Security Controls Assessment

  • Administrative

  • Technical

  • Physical

Step 7. Perform HIPAA Privacy Controls Assessment

  • General Authorization

  • Uses and Disclosure

  • Admin of Policies and Procedures