Note: This is an abridged version of the article. For more details regarding risk management, technical assessments, and additional resources, please sign in to Member Services.
Risk Management for HIPAA Security
In a recent video, the Office for Civil Rights (OCR) announced that it is expanding its Security Risk Analysis (SRA) enforcement initiative to include Risk Management (RM). RM is a requirement within HIPAA’s Security Rule at paragraphs 164.306(a), and 164.308(a)(B), and is intended to ensure that actions are taken to reduce risks and vulnerabilities to a reasonable, appropriate level.
Before risk management (RM) activities begin, entities should:
- identify risks and vulnerabilities
- consider risks and vulnerabilities to all EPHI created, received, maintained or transmitted
One of the best ways to identify and consider risks and vulnerabilities is to conduct an SRA on a regular basis (annually and/or whenever significant changes are made to the network or information systems). An SRA can help inform the RM decisions, because the SRA process brings risks and vulnerabilities to light, and allows entities to document what is currently in place and see where improvement is needed.
Understanding Risks
Although the Security Rule is flexible and scalable, and no one technology or solution is required to achieve compliance, some commonly utilized approaches address known risks, and therefore should be implemented. No specific type of approach is required, but safeguards must be in place and evaluated to determine whether they are properly reducing risk.
It’s not enough to just do “something.” The action taken must reduce risk to a reasonable, appropriate level. For example, let’s say an entity implements a requirement for password length, but the requirement is weak. Does a four-character password sufficiently reduce risk? The answer is no.
Many known threats can be reasonably anticipated, such as power outages, natural disasters and cyberattacks. In 2025, 76% of large breaches were caused by hackers/cyberattacks. An important part of RM is to review security measures and modify them as needed to protect against new strains of ransomware and recently discovered vulnerabilities.
If an entity were investigated, OCR would send a data request asking for RM policies and procedures, and evidence that security measures were implemented. Policies and procedures are important but alone are not evidence of implementation. For example, an entity could have policies but not be following them. In addition, remediation and corrective actions are often delayed year after year.
Implementing Risk Management
If implementation is not completed, then the entity is not in compliance with the RM standard. Prioritizing RM in the constraints of budget and operational capability allows entities to consider factors such as size, complexity and capability, technical infrastructure, costs of security measures and probability of potential risks. Cost is not meant to free an entity completely from obligations under the Security Rule. OCR would assess whether risks and vulnerabilities were reduced to a reasonable and appropriate level. Mitigation plans, time frames, approvals and status reports can help an entity to demonstrate that it is taking steps to implement RM.
Technical Assessments
The Security Rule does not require third parties to perform assessments, so an internal IT team or your existing IT vendor could be used to provide assessments, reports, etc. Third parties can help to verify and assess network and system security and can be a useful tool.
Resources
Note that subscribers to Eagle Associates HIPAA Compliance System (HCS) have access to polices, an implementation guide, staff training, and a Security Risk Analysis tool, along with support for questions.
