HIPAA Risk Analysis

Assess your organization against the HIPAA Security Rule to identify gaps in security control coverage and make recommendations for improvement.

Scoping and Planning

We develop a project plan and agree upon key project milestones. We provide a request for information (RFI) to obtain relevant cybersecurity documentation, identify stakeholders, and schedule workshops.

We conduct a formal kick-off meeting with stakeholders and preform an initial discovery workshop to identity ePHI with-in your organization, including in-flows and out-flows involving third parties. We also define the threats which will be used during the risk analysis.


We conduct workshops, review documentation, and perform limited walkthroughs to gain an understanding of your alignment to the intent of the HIPAA Security Rule and HITECH Act as it pertains to ePHI identified during the scoping phase. During this process we document the current state, gaps, maturity score, and recommendation for each specification.


Security Stakeholder Interviews

We conduct one or more workshop style interviews with key security stakeholders around the organization to discuss security near-misses, emerging threats to ePHI, and to identify other risks that may not be identified during a controls-based risk analysis process. Findings from these interviews are included in the risk analysis report. Minutes from these interviews are documented and included in the overall review.


Risk Analysis and Reporting

We produce draft HIPAA/HITECH Security Risk Analysis deliverables to determine root causes or themes, which form the basis of the risk management plan. Risks identified are correlated with threats to understand the residual impact and likelihood of threats.