HIPAA Risk Assessment

Your small medical practice's necessary first step for protecting patient privacy.

Don’t let the stricter HIPAA rules scare you. Just understand how they work, who’s at risk, and how to protect yourself. The first step is to hire a company like Matterform to conduct a risk assessment. This required document is the first thing a HIPAA auditor looks for, and skipping it could cost you.

You care about protecting patient privacy, and the HIPAA rules aren’t just a bureaucratic hassle—they’re actually great guidelines to help you protect your patients and your business. Compliance begins with a risk assessment, which is written documentation that deals with three basic elements:

  • Threats and vulnerabilities
  • Level of risk based on the likelihood of exploit and the resulting impact
  • General action plan for each item of concern

Risk assessment: A good security practice in any industry

These assessments are a powerful tool not just for healthcare providers—they’re useful in other industries as well, and Matterform is in high demand as a provider of assessments across a variety of businesses.

Matterform provides clients a risk analysis that covers every conceivable vulnerability with care and foresight, giving healthcare providers and their vendors the comfort of knowing they’re protected from government oversight. We conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) held by the covered entity.

Here’s essentially what our customized assessments do for our clients:

  • Identify and document reasonably anticipated threats, including natural, human and environmental.
  • Identify and document vulnerabilities that, if triggered or exploited by a threat, would create a risk to EPHI.
  • Analyze current security measures implemented to minimize or eliminate risks to EPHI.
  • Evaluate the likelihood that a threat will trigger or exploit a specific vulnerability.
  • Evaluate the potential impact of threat occurrence.
  • Evaluate the level of risk to EPHI, determined by the likelihood of a given threat triggering or exploiting a specific vulnerability, and the resulting impact.
  • Recommend new controls to mitigate the risk.

How we do it

Performing a risk assessment is a straightforward process in which Matterform does all the heavy lifting for you. The result is a tool that upper management can use to guide decision-making.

First we’ll work with you to determine the scope of the assessment. A full risk assessment covers all your Line of Business processes and applications. It can be a big project, so we start small and focused. Custom applications, databases, and electronic medical record systems (EMRs) are a great place to start, and are a Matterform specialty.

We’ll need access to your application and one or two interviews with staff. We’ll do the hard work.

Then we analyze everything and give you a written report.

This is the most important step: a plan of action. We grade risk levels based on
likelihood and potential impact. The plan of action is a detailed security matrix covering
 each required and addressable HIPAA standard. 


Finally, the executive summary outlines the top priorities in plain English.

Contact us, and we’ll start your risk assessment this week. The sooner you start, the sooner you can rest easy without the specter of compliance hanging over your head. We can help you prioritize and budget tasks to get you on the road to protecting patient privacy. This is a journey, not a destination. You’re never finished protecting patient privacy.

Matterform president Michael Herrick can be reached at michael@matterform.com.

Photo: “Traffic Cones” by Sebastian Bergmann