Data breach is one of the biggest challenges every industry is facing nowadays. However, the health industry is leading the chart with a probability of 69% of data breaches. This has increased identity theft, financial fraud, harming a person, etc. HIPAA rules and regulation was introduced to the healthcare industry to prevent these cyber attacks.

HIPAA assessment becomes compulsory for healthcare entities to meet the rules and regulations, preventing hefty fines. After the assessment, healthcare entities are facilitated with HIPAA compliance certification, which increases their trust among patients. In this blog, we will delve into the numerous assessment steps.

Steps to Perform a HIPAA Risk Assessment

Define the Scope

The first step is to define the overall scope of HIPAA assessment. Identify all ePHI your organizations have created, received, and maintained, whether on-premises or cloud. You should ensure that all the data is protected irrespective of the medium.

Collect Data

The next step is to collect the data you have received, stored, transferred, or maintained. For instance, you can check smartphones, other portable devices or technologies for transmission of ePHI. Determine how many people have access to ePHI within your organization; review past and existing projects, check documents, conduct interviews, or use other data collection techniques.

Identify Threats and Vulnerabilities

Look for the vulnerable areas where data breaches could be possible and any unauthorized disclosure or use of the medical data. Moreover, you should have knowledge of three security safeguards in order to get HIPAA compliance certification. 

  • Administrative
  • Physical
  • Technical

Conduct an Initial Risk Assessment

You should conduct an initial assessment to determine the current measure and identify the shortcomings of the present system. Analyze technical and non-technical measures, as it will provide you with information on the risk associated with these security measures.

Identify the Current Risk Level

Identify the potential security risks and vulnerabilities and assign them an appropriate value based on their impact. Moreover, you should document each possible outcome, such as unauthorized access, physical asset loss, financial cash flow loss, or permanent or temporary loss.


You should document all the findings you get after the HIPAA assessment, such as threats, vulnerabilities, security measures, etc. This can help you in periodic reviews. Moreover, develop a policy for how often you should conduct a risk assessment, keep track of the change at the end of the assessment and update it after each change.


INTERCERT can help you achieve HIPAA compliance certification, as it enables you to conduct the assessment to adhere to HIPAA compliance. We aid you in identifying the risk and acting on the threat.