Top 10 Myths of HIPAA Security Risk Analysis


top 10

Fact or False is a great way to understand the Security Risk Analysis.  These top ten myths can be found on the website.

The Risk Analysis is the first requirement of the Security Rule, and in many respects, is also the most important. The Risk Analysis is essential to identifying compliance gaps and vulnerabilities. A proper Risk Analysis examines the IT environment and assesses compliance, including implementation of proper HIPAA policies and procedures.

The Risk Analysis should produce a remediation report, which provides detailed guidance on actions the organization can take to close compliance gaps and vulnerabilities. In essence, the Risk Analysis ensures that the other requirements of the Security Rule are satisfied.

Although it is not a requirement, the government advises that doing a thorough and professional risk assessment that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

Top Ten Myths (click on any question)

Any reference to EHR vendor refers to your practice management software patient files (Dentrix, Eaglesoft etc.)

1. The security risk analysis is optional for small providers

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

2. Simply installing a certified EHR fulfills the security risk analysis MU requirement

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

3. My EHR vendor took care of everything I need to do about privacy and security.

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

4. I have to outsource the security risk analysis.

False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

5. A checklist will suffice for the risk analysis requirement.

False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

6. There is a specific risk analysis method that I must follow.

False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

7. My security risk analysis only needs to look at my EHR.

False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

8. I only need to do a risk analysis once.

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

9. Before I attest for an EHR incentive program, I must fully mitigate all risks.

False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

10. Each year, I’ll have to completely redo my security risk analysis.

False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.

Your Practice is at Risk!

It is expected that random HIPAA audits will continue in 2017, along with audits of your practice’s business associates and your required agreements with them.  The Office of Civil Rights has indicated that SOME of the key questions they will be auditing include the following:

  • Has your practice appointed HIPAA Privacy and Security Officers?
  • Has your practice updated Policies and Procedures and properly trained employees?
  • Has your practice taken the mandatory 2017 HIPAA Risk Assessment?
  • Does your practice have updated Business Associate Agreements in place?

If you have not yet enrolled in the T2 Consulting approved program, 2017 is a good time to consider it. With the increasing rate of cyber-attacks specifically targeting the healthcare industry, T2 Consulting is concerned that many clients are not taking the proper precautions, and are unaware that the government strengthened its ability to enforce the law with fines reaching up to $50,000 per violation with a maximum $1.5 million annual penalty.

Every T2 Consulting Client will get a complimentary HIPAA Risk Assessment (a $599 value). You can take the Risk Assessment online and immediately receive your risk score with no further obligation. T2 Consulting encourages you to take 10 minutes as soon as possible to complete the Risk Assessment at You’ll receive a 23-page Risk Analysis, and a 30-minute consultation that you can schedule online once you complete the assessment.


 Ted Takahashi

"Thank you for visiting the website. You are encouraged to use this site as an honest resource for your technology. I'm someone who can help you!"  

Ted Takahashi
Phone: 952.261.9205
Contact Us

Link to my Facebook Page
Link to my Linkedin Page
Link to my Twitter Page