HIPAA Compliance & Risk Assessment

What is HIPAA Compliance and Risk Assessment?

HIPAA compliance means adhering to the Health Insurance Portability and Accountability Act (HIPAA), which sets national standards for protecting sensitive patient health information (PHI and ePHI). Organizations like hospitals, clinics, insurers, and business associates must safeguard confidentiality, integrity, and availability of PHI through administrative, physical, and technical safeguards.

A central requirement of HIPAA’s Security Rule is conducting a risk assessment (often called a security risk analysis). This is not just a checklist—it’s a systematic process to:

Identify where PHI is created, stored, transmitted, and accessed.
Analyze potential threats and vulnerabilities (e.g., ransomware, insider misuse, lost devices).
Evaluate likelihood and impact of those risks.
Implement controls and safeguards proportionate to the risk level.

The risk assessment must be ongoing, not a one-time exercise, as new technologies, workforce changes, and cyber threats constantly emerge.

Duty of Care and Risk Analysis (DoCRA)

The concept of duty of care extends the risk assessment beyond compliance. While HIPAA sets the baseline, duty of care means an organization must take “reasonable and appropriate” measures to protect patient data, even when specific requirements aren’t spelled out. It’s about aligning security with both regulatory obligations and industry-recognized best practices.

A duty of care risk analysis:

Goes deeper than checking off HIPAA requirements.
Considers whether safeguards are “reasonable” given the sensitivity of PHI and the potential harm to patients if breached.
Helps demonstrate defensibility: if an incident occurs, the organization can show it took proportionate, thoughtful actions to manage risks.

Putting It Together

In practice:

HIPAA compliance provides the legal and regulatory foundation.
Risk assessment ensures compliance is based on a clear understanding of threats and vulnerabilities.
Duty of care Risk analysis (DoCRA) ensures that protections are not just legally compliant but also ethically and practically sufficient to protect patients, avoid negligence claims, and build trust.

For example, HIPAA doesn’t explicitly say “you must use multi-factor authentication (MFA).” But a duty of care risk analysis may determine MFA is a reasonable safeguard against credential theft, and courts or regulators could view failure to use it as negligence.

Cyberattacks on hospitals, clinics, and health technology platforms are on the rise, and the stakes couldn’t be higher. When sensitive medical data is exposed or stolen, it can lead to identity theft, insurance fraud, and even compromised patient care. Hackers target healthcare organizations because PHI is incredibly valuable. Unlike credit card numbers, which can be changed, health records contain permanent information—like diagnoses, Social Security numbers, and insurance details—that can be used for years.

That’s why organizations covered by HIPAA must take cybersecurity seriously. The HIPAA Security Rule requires them to safeguard PHI through administrative, physical, and technical controls. While the rule itself hasn’t changed much since 2003, regulators like the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) expect organizations to keep pace with today’s threats. Strategies that should be implemented: strong access controls, regular risk assessments, encryption, and even penetration testing. The updated HIPAA rule requires annual penetration tests.

Run regular scans (at least quarterly) of all systems, including medical devices, EHRs, and remote access tools
Prioritize risks based on potential impact to Protected Health Information (PHI).
Create a clear Incident Response Plan (IRP) that outlines what happens when a breach or attack occurs.
Invest in tools, training, and testing may feel like a burden, especially for smaller providers, but it’s essential for protecting your patients and your reputation.