Home/Services/Audits & Attestation/HIPAA Risk Assessment

Audits & Attestation

HIPAA Risk Assessment

Security Rule risk analysis for covered entities and business associates — evaluating how you safeguard protected health information against HIPAA’s requirements.

Request this service → See our approach

Overview

Protect PHI, evidence your diligence.

HIPAA requires organisations handling protected health information to conduct a risk analysis and implement safeguards across administrative, physical and technical controls.

We assess your environment against the HIPAA Security Rule, identify risks to PHI, and provide a prioritised plan to address gaps and demonstrate the diligence regulators expect.

What’s covered

The areas this audit examines.

Administrative safeguards

Policies, training and workforce controls.

Physical safeguards

Facility and device protections.

Technical safeguards

Access, audit, integrity and transmission security.

Risk analysis

Threats and vulnerabilities to PHI.

Breach readiness

Notification processes and documentation.

Who needs this

Is this you?

The kinds of organisations that rely on this work.

US healthcare providersCovered entities under HIPAA.

Health insurers / plansPHI handling.

Business associatesVendors processing PHI.

Health-tech & SaaSServing US healthcare.

BPOs handling PHIOffshore processing.

Any org touching US PHISecurity Rule obligations.

Regulatory drivers

Why this is required

A documented risk analysis is the foundational, explicitly required element of the HIPAA Security Rule for anyone handling US protected health information; without it, no other safeguard can be justified or defended.

HIPAA Security Rule (§164.308)

Requires an accurate and thorough analysis of risks to electronic protected health information.

HHS Office for Civil Rights

OCR enforcement and audits expect a current, documented risk assessment.

Business Associate Agreements

Covered entities flow down risk-assessment expectations to their business associates.

How we work

A proven, methodical approach.

A staged approach built to deliver a defensible outcome.

Scoping & PHI data mapping

Mapping where protected health information is stored and flows.

Threat & vulnerability identification

Identifying threats and vulnerabilities to PHI.

Safeguards assessment

Assessing administrative, physical and technical safeguards.

Risk rating & analysis

Rating risks by likelihood and impact.

Remediation roadmap

A prioritised plan to reduce risk to PHI.

Report & documentation

HIPAA-aligned documentation of the assessment.

What you receive

Documentation built for every audience.

Risk assessment reportHIPAA-aligned documentation of the assessment.
PHI data-flow mapWhere protected health information lives and flows.
Safeguards gap registerAdministrative, physical and technical gaps.
Risk registerRisks rated by likelihood and impact.
Remediation roadmapA prioritised plan to reduce risk.

Standards & frameworks

The work is mapped to the standards and rules that apply to you.

HIPAA Security RuleHIPAA Privacy RuleNIST SP 800-66HITRUST (mapping)

Checklist

Are you ready? A quick checklist

What to have in place before we begin.

PHI data flows mapped

In-scope systems inventoried

Administrative safeguards reviewed

Physical safeguards reviewed

Technical safeguards reviewed

BAAs with vendors in place

Workforce training records

Breach-response process documented

FAQ

Common questions

Who needs a HIPAA risk assessment?

Covered entities — such as healthcare providers and health plans — and their business associates that create, receive, store or transmit protected health information all need one. A documented risk analysis is an explicit requirement of the HIPAA Security Rule, and it is the foundation every other safeguard is built on.

Does this make us HIPAA certified?

HIPAA has no official certification; compliance is demonstrated through your safeguards, risk analysis and documentation, which we help you establish.

Can you map to HITRUST?

Yes. If you are pursuing HITRUST CSF certification, we can align the HIPAA risk assessment to support that path, so the work you do for HIPAA feeds directly into your HITRUST programme rather than being repeated.