HIPAA Risk Assessments

If your company is working as a vendor for a healthcare system or hospital, it is likely that you have been labeled as a “Business Associate” under HIPAA. As such, your business is required to comply with all requirements for the HIPAA privacy and security rules. This requirement is as per the mutually agreed upon Business Associate Agreement in the customer’s contract. It will require you to conduct a HIPAA risk assessment, if you have not already done so.


HIPAA risk assessments are part of an overall risk analysis and management program.  This should be an internal process that complies with guidance provided by the HHS, or it could be an external audit by a 3rd party, often a Managed Service Provider (MSP).   A managed service provider (MSP) is an entity that remotely manages a covered entity’s IT infrastructure, and/or end-user systems. Managed service providers who work with clients in the healthcare sector typically have the experience to comply with the HIPAA Security Rule.  Under the HIPAA Security Rule, MSPs can perform a security risk analysis for your company to certify you as a Business Associate.

Expertise required to perform a Business Associate HIPAA risk assessment

Typically, the HIPAA risk assessment doesn’t go into specific domains, but rather the methodology of ensuring your company is inventorying personal health information (PHI), account is taken of the threats and vulnerabilities to the PHI, and appropriate security measures are implemented to protect PHI.  As an MSP our goal is that you comply with the risk analysis requirements under the Security Rule, and allow you to focus on those controls that you deem most appropriate.  There are numerous other requirements for a business associate under HIPAA, which may be contained in the Business Associate Agreement that you signed with your customer.


Most healthcare companies, whether a health system, hospital, ambulatory center, or primary care physician, have a requirement for business associates that access PHI to have their privacy and security programs reviewed by an external independent third party.  This could be an applicable certification such as ISO or SOC 2, or a HIPAA risk assessment.  Finding a firm that would be able to complete an assessment is the first step.  At Concertium, we have numerous employees that have previously worked in the healthcare industry, including our CTO.  We have performed numerous HIPAA risk assessments for customers over the last 20 years.  We can work with you to determine what areas make the most sense to have in-scope for an assessment and then we can review together to validate that it will meet our standards prior to the assessment.


Topics that are covered in a HIPAA risk assessment:

  • Access and Identity Management
  • Vulnerability and Patch Management
  • Incident Management
  • Server Security
  • Cloud Security if applicable
  • End User Device Security
  • Asset and Information Classification, Handling, and Management
  • Network Security
  • Physical and Environment Security
  • Application Security
  • Business Resiliency
  • Human Resource Security
  • Information Security Program
  • Operations Management
  • Compliance with all applicable controls of the HIPAA Privacy Rule
  • Risk Assessment and Management
  • Organizational

The HIPAA Security Rule requires that covered entities and business associates implement certain security safeguards. These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). The ePHI is protected health information that is created, stored, transmitted, or received in any electronic format.

Therefore, to identify what safeguards are needed, and to implement these safeguards, a Security Rule Risk Analysis (sometimes referred to as a “Security Rule Risk Assessment” or “Security Risk Assessment” or “Security Risk Analysis”) must be performed.  The security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Concertium can provide a free IT assessment

Some basic steps should be taken to begin protecting personal health information from intrusions.  Simple procedures such as Remote Management & Monitoring can be provisioned on 100% of your employee computers assigned to healthcare clients. This is just a single example, and many other controls and reporting tools should be formalized and implemented.

Would like to hear more about how Concertium can support your business and its technology infrastructure? Let’s schedule a free IT assessment call with our CEO and CTO to learn more about your business and current technology needs.