Posted By Abhi Muthiyan On March 14, 2017

4 Reasons Not Conducting a Security Risk Assessment Can Cost You Money

Security Risk Assessment

A Security Risk Assessment (SRA) is an analysis of your healthcare organization or associated business for any potential threats or issues in handling protected health information (PHI) under the Health Insurance Portability and accountability Act (HIPAA). It is also mandatory for all Covered Entities under the HIPAA security rule and needs to be performed annually. Healthcare providers and business associates can cost themselves upwards of hundreds of thousands of dollars in several ways if they do not perform a proper SRA.


  1. The Frequent Threat of Security Breaches

    Any breach affecting 500 or more individuals must be listed on the US Department of Health and Human Services. The wall of HIPAA shame continues to expand, as healthcare entities large and small find themselves in breach of HIPAA, often by accident. An adequate SRA would have been able to identify many of the threats ahead of time and prevented potentially millions in fines. Some of these breaches are as simple as a stolen electronic device that was not properly encrypted. 

  2. The First Set of Documents Requested by Auditors

    According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, any entity covered by HIPAA may be audited for privacy, security, and breach notification. A healthcare provider can face financial penalties for not meeting guidelines, even if a breach has not taken place. Just as important, a practice participating in the Centers for Medicare & Medicaid Services (CMS) incentive programs would forfeit a portion of their payment. 

  3.  Prioritize Areas for Improvement

    Prioritization is determined by comparing the likelihood of an incident occurring with severity of impact if an incident takes place.  With limited budgets available for many public health departments and community health centers, this portion of the action plan helps you avoid overspending on details up-front that can be addressed later in the process. You can create a workable timetable for improvement based on research and data.

  4. Maintain Patient Trust

    Records of audit and/or breach penalties will lower your reputation. As mentioned before, any breach affecting more than 500 individuals is published and open to viewing by the public. If there is a history on record, customers may take their business elsewhere. This can be especially damaging for a Business Associate, where many competitive alternatives are available. For health centers trying to develop trust in underserved communities, this can be damaging for bringing in patients who need your services the most.

Even with regulations for HIPAA in place for several years, many healthcare providers and business associates are still not meeting the requirements.  Anyone unsure about their health departments or health center’s status can request a quote for free consultation. If it is determined you are not meeting the full requirements, a Security Risk Analysis will help you discover your weak spots and get on the road to compliance.