By Danielle M. Murray, J.D.

As a health care provider or owner of a health facility, you know about the Health Insurance Portability and Accountability Act (HIPAA) of 1996.  You know that you must safeguard and protect confidential patient medical information to avoid civil and criminal penalties against you and your practice. Did you know that you may need a HIPAA Risk Assessment?

If You Are A Health Care Provider You Face an Audit Risk.

The Office for Civil Rights (OCR) is stepping up enforcement around the country of “covered entities” and business associates.  OCR auditors will send a letter informing you that within 30 days, they will be in your office reviewing your organization and interviewing your key staff members.  If the auditor finds flaws with your office, you will be made aware of them, and then re-reviewed later, if you are not first fined or otherwise sanctioned.  It is a very real and likely situation that many practices, facilities, and their business associates will be faced with in the coming months and years.

Frequently, an investigation into HIPAA violations is started due to disgruntled employees, patient complaints, theft or loss of records, security breaches, and improper disclosure.

A HIPAA Risk Assessment is Mandatory by Law.

A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws.  Federal regulations require that covered entities have this assessment done.  Specifically, the regulation says that covered entities must:


[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

To see this regulation in full, go to

Practices Big and Small Can Be Audited.

Large and small practices have been targeted by HIPAA Compliance Audits.  UCLA was fined $865,000 because some of its employees improperly peeked into hospitalized celebrities’ medical records.  The Alaska Department of Health and Social Services was fined $1,700,000 when a USB hard drive full of protected health information was stolen from an employee’s car.  In another case, a specialty physician practice in Arizona was fined $100,000 because it used a public internet calendar to post clinical and surgical appointments.

All of these stories had something in common: they did not conduct a HIPAA risk assessment, they did not implement administrative safeguards, and they were fined a lot of money. Could your practice afford that sort of cost? Not to mention the potential criminal liability that comes with privacy violations.

HIPAA Risk Assessments Are A Pre-Emptive Measure to Limit Sanctions.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions.  It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have likely changed since you last edited your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. In a perfect practice, this would be done every 6 months.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your Risk Assessment. Do you have one? Does your staff know who your HIPAA compliance officer is?  Call an experienced health law attorney to complete a risk assessment of your practice today.

For more on HIPAA, read our two-part blog. Click here for part one and here for part two.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or (850) 439-1001.


What are your thoughts? Is HIPAA working? Not working? Has HIPAA increased the protection of your health information? What could be done to improve it? Please leave any thoughtful comments below.

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.