The HIPAA Security Final Rule requires all that all Covered Entities and Business Associates (and, soon likely, their sub contractors) complete a Risk Analysis.  The risk analysis requirement is specified in 45 C.F.R. § 164.308(a)(1)(ii)(A) Risk Analysis and is known as an Implementation Specification.  Risk Analysis is one of four Implementation Specifications that are part of the Standard known as Security Management Process…


A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))!  We explained the difference in a prior post.

Risk Analysis Requirements under the Security Rule

The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications.  We have assembled many useful documents, tools and resources related to Risk Analysis on our site at: Please feel free to use and enjoy them!

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series NavigationHIPAA Security Risk Analysis Tips – Scope >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.