HIPAA Risk Assessments

HIPAA Compliance Starts With a HIPAA Risk Assessment

A practice-wide, up-to-date HIPAA risk assessment is the foundation of HIPAA compliance, and the very first question on the OCR audit protocol. The Aligned Risk Management (ARM) process will save your staff hundreds of hours of work. You’ll sleep better, confident that your compliance strategy is on a sure foundation.

How Do You Conduct an Effective Risk Assessment?

A HIPAA risk assessment is more than a checklist, more than a network scan. It needs to cover all your business processes, not just IT, and it needs to offer specific guidance to improve security.

The ARM process will save your staff hundreds of hours of work and you’ll feel confident that your strategy is on a sure foundation, with a solid plan for moving forward. When you work with ARM, our experts will interview your management and technology staff in person to:

  1. Inventory all systems, from your electronic health records application to your paper records and staff training
  2. Review policies and procedures, check business associate agreements
  3. Identify technical and non-technical process vulnerabilities
  4. Conduct a vulnerability scan of your local computer network
  5. Deliver specific, action-oriented recommendations aligned to your strategic goals

Risk Assessment Process

Risk Management

We’ll support your practice manager and IT staff through the ongoing risk management process, with an online compliance portal to help you stay organized and quarterly meetings to ensure you are always showing progress.

Policies and Procedures

Policy templates don’t work if you don’t customize them. We don’t offer fill-in-the-blank templates. We deliver complete documentation that accurately reflects your actual policies and procedures.


Security training is essential for mitigating the risk of insider misuse. It’s also required by HIPAA. We can train your staff in-person at your location or ours. Or sign up for our affordable online training, with automatic compliance reporting

A Risk Management Plan You Can Understand

Our risk assessment report usually weighs in at around 90 pages with 70 or 80 specific recommendations for improving security. Now what?

HIPAA compliance is a journey, not a destination

Your risk assessment will identify actual threats to your patients’ data and realistically evaluate the likelihood of a breach. Likelihood plus potential impact are the key factors to consider when evaluating risk levels. The risk levels identified during the risk assessment phase are what determine the priorities of the ongoing risk management phase.

We deliver our report in print, and also on the ARM Online Compliance Portal, a secure web-based app where your team can manage all your compliance documentation. Your risk management plan is ranked by our proprietary const-benefit algorithm. We meet with clients quarterly to review and update the plan, ensuring you are always demonstrating progress.

The Costs of Non-Compliance

Even small practices risk huge HIPAA fines…

Healthcare is a target in this golden age of data breaches and identity theft. HIPAA enforcement is heating up too, and fines can be astronomical.

The Department of Health and Human Services has identified small healthcare practices as a special focus for upcoming HIPAA audits. Some recent fines for non-compliance:

In each of these cases, the Department identified the primary HIPAA violation as the failure to conduct a risk assessment. Data breaches can happen even in spite of the best security measures. It’s the presence or absence of a HIPAA risk assessment that determines how high the fines will go.


Would you like the confidence that comes from knowing you’ve taken pro-active steps to protect patient privacy? Let’s meet so we can learn how your practice works and how you need to protect data, manage risk, and sleep better.

What are you waiting for? Call today.



Aligned Risk Management is a proud member of the Healthcare Information and Management Systems Society (HIMSS).