How to Comply with the HIPAA Security Rule Risk Assessment Requirement

5 Things to do in Response to OSHA’s COVID-19 ETS Now That It Is Stayed
November 11, 2021
December 3, 2021

A compliance review of a covered health provider by the Office for Civil Rights (OCR)* found systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.  This resulted in a $25,000 penalty and a robust corrective action plan that included three years of compliance monitoring. The failure to implement basic Security Rule requirements makes HIPAA-regulated entities targets for malicious activity and puts at risk patients’ electronic health information.

With the acceleration of the use of technology in the delivery of health services, including dentistry services, the HIPAA Security Rule has become a “front and center” focal point for the OCR. Putting in place technical safeguards was among the top five issues investigated by the U.S. Department of Health and Human Services (HHS) OCR which took substantial corrective actions against the businesses which failed to comply.

In this article, we help you to understand the HIPAA Security Rule and its Risk Assessment Requirement and what your business should do to enhance compliance and reduce your risk of penalty assessment by the OCR.  If you are a “covered entity” – and most dental practices are – your business must regularly conduct the required Risk Assessment and this year’s assessment must be completed by December 31, 2021.

All Electronic Protected Health Information (e-PHI) created, received, maintained, or transmitted by a business is subject to the Security Rule. The Security Rule requires businesses to evaluate the risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against “reasonably anticipated” threats or hazards to the security or integrity of its e-PHI. Risk analysis is the first step in that process.

The Security Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications contained within the Security and Privacy requirements.  The Security Management Process standard in the Security Rule requires businesses to implement policies and procedures to prevent, detect, contain, and correct security violations. (45 CFR § 164.308(a)(1).)

Risk analysis is one of the four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:

Implementation specifications:

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

Although in this article we are focusing on the Risk Analysis requirement, so that you may understand the complete list, the remaining three implementation specifications associated with the Security Rule are:

  • Risk management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

  • Sanction policy. Apply appropriate sanctions against workforce members who do not follow the security policies and procedures of the covered entity or business associate.

  • Information system activity review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

The goal of the HIPAA Security Rule Risk Analysis is to identify where in your business e-PHI may be at risk of improper disclosure and to adopt processes to protect it. Questions you may wish to consider in implementing the Security Rule:

  • Have you identified the e-PHI within your practice? This includes e-PHI that you create, receive, maintain, or transmit.

  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain, or transmit e-PHI?

  • What are the threats (human, natural, and environmental) to information systems that contain e-PHI?

The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. Businesses should use the information gleaned from their risk analysis in order to:

  • Design effective personnel screening processes.

  • Identify what data to backup and how.

  • Decide whether and how to use encryption.

  • Address what data must be authenticated in particular situations to protect data integrity.

  • Determine the most secure methods of protecting health information transmissions.

You must review your legacy systems.  These are systems of information with one or more components that have been supplanted by newer technology and for which the manufacturer is no longer offering support.  The unique security considerations applicable to legacy systems in a dental practice IT environment are often overlooked.

Consider your cloud service provider (CSP) and add this to your risk assessment.    When a “covered entity” – i.e., your dental practice – engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.  When a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP is also a business associate.  As a result, your dental practice (or your business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and is directly responsible for compliance with the applicable requirements of the HIPAA Rules.  A “covered entity” that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into BAAs which comply with HIPAA. Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.

The Office for the National Coordinator for Health IT working in concert with the OCR has provided a tool to assist businesses with meeting their HIPAA responsibilities to protect e-PHI.  The tool is designed to help covered entities to construct and document security risk assessments.   The Risk Assessment Tool  is a downloadable Security Risk Assessment Tool to help guide you through the process.   The guide for use of the tool is here:   SRA Tool User Guide (

Best practices would suggest that you both use the resources made available to your business by the OCR and, to assure that you have a compliance solution which is customized to your dental practice, seek out a compliance service provider who can evaluate your specific business.  Regulatory Support Services offers compliance audit and evaluation services, and we are here to answer any questions you may have.  Contact us.

* The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces various federal civil rights laws including the Health Insurance Portability and Accountability Act (HIPAA) and Privacy, Security, and Breach Notification Rules. The OCR is also responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.)

Comments are closed.

Call Now