We sometimes refer to a real HIPAA Security Risk Analysis as getting into the “trees and weeds”.  With a rigorous Security Risk Analysis and Management Methodology, it is easy to be swallowed up in these details.  Here’s today’s big tip – Keep an eye on the Big Picture.  Don’t lose sight of your business risk management goals.  Here’s how…


Remember the “problem you’re trying to solve”:  What are my exposures? (i.e., what bad things can happen?) AND, what must I do to mitigate or eliminate them?

A good Security Risk Analysis and Management Methodology can be used by organizations of all sizes and should be purposefully designed to be able to be able to be used by the largest CEs and BAs (e.g., hospitals, insurers, long term care facilities, care management firms, etc) to the smallest CEs and BAs (e.g., small medical practices, clinics, dental offices, medical billing companies, etc.).

Risk management is not about drumming up a 100 reasons to spend a $1million on security!  Real risk management is about facilitating informed decision making so that leaders and executives can choose to either: 1) spend money to mitigate the risks; 2) transfer the risks by way of insurance or, in some cases, outsourcing; or, 3) accepting risk.

From a very practical perspective, what one ultimately seeks to develop by completing a risk analysis is a prioritized list of security risks or exposures that need will facilitate informed decision-making.  The classic formula for calculating the level of risk is:

Risk = Impact * Likelihood 

While terms like risk, impact, likelihood, threats, vulnerabilities and many others come into play, a classic categorization of risks is shown in the following matrix.  A good risk analysis process helps you determine your risks, categorize them as Low, Medium, High or Critical and then develop a risk remediation action plan to address those risks in priority order… or accept them.

A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))!  We explained the difference in a prior post.

In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications.  We have assembled many useful documents, tools and resources related to Risk Analysis on our site at: http://clearwaterc.wpengine.com/hipaa-hitech-resources/hipaa-risk-analysis-resources/  Please feel free to use and enjoy them!

If you’d like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – ScopeHIPAA Security Risk Analysis Tips – Know the Regs >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.