The HIPAA Security Rule Administrative Safeguards includes requirements that covered entities “implement policies and procedures to prevent, detect, contain and correct security violations.”

This standard requires both Risk Analysis and Risk Management. 

The Risk Analysis implementation specification requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” 

The Risk Management requires an organization to essentially determine how to address security risks and vulnerabilities.

Both assist an organization’s management in developing protections for confidentiality, integrity, and availability of ePHI within the organization.

What to know about continuous HIPAA analysis

Risk Analysis as on ongoing process

The environment in which healthcare IT professionals support operations is ever changing. Cloud-based infrastructure is a steeply growing trend, replacing the model of having data centers onsite with rows of server racks taking up valuable space within a hospital.

Patient care is being delivered and electronically documented within a multitude of systems at the patient’s bedside rather than at a nurse’s station. The evolving world of healthcare and technologies that facilitate change introduce new risks and challenges that organizations must address. These risks must be assessed and managed to an acceptable level of tolerance.

Because the healthcare environment is a rapidly evolving industry, ongoing risk analysis is imperative in helping to reduce unnecessary risks and keeping data and resources protected against cybersecurity threats. As risks are identified throughout the ongoing analysis process, remediation efforts should be prioritized to maintain necessary protections over covered information.

Risk Management as a response to the analysis process

During the Risk Management process, potential solutions should be identified and selected to remediate identified risks. Maintenance of a risk register may help management stay focused on their organization’s overall cybersecurity risk profile. A risk register is essentially an inventory of risks identified throughout the ongoing Risk Analysis process.

Evaluation of security implementations

Under the HIPAA Security Rule, covered entities are required to “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”

The Evaluation process helps to determine if controls in place to protect ePHI are doing so effectively.

Utilizing service providers to evaluate security measures in place is an effective way to independently assess an organization’s security program.

Benefits of partnering with a security services firm to conduct evaluations


Security assessors within your selected security services firm will not have pre-determined opinions of your security program. Assessors are able to independently and objectively evaluate controls in place and determine their effectiveness in protecting sensitive information. This provides a greater level of confidence in the evaluation results.

Industry knowledge

Select a firm with a strong knowledge of the healthcare industry. Assessors of such firms will bring a wealth of knowledge and experience to be able to make reasonable recommendations to best fit your organization. Another benefit of leveraging industry experts is the knowledge-sharing they bring to the table. These firms work with a large variety of healthcare organizations and can share relevant solutions from organizations similar to yours.

Evaluation Efficiency

Security services firms who routinely evaluate controls within security programs are more efficient at the process. Assessors will have various tools and methods for testing controls within your environment and be able to do so very efficiently.

Evaluations are usually initiated with a documentation request list to build the assessor’s knowledge of your security programs policies and procedures in place. Test plans will be used to specifically evaluate your organization’s controls in place to address HIPAA Security requirements.

Following a HIPAA Security assessment performed by an experienced healthcare services firm, you should feel confident that the evaluation performed will meet the needs of other audits your organization may be subject to.