top of page
hero image.jpg

Risk Assessment

Update your

annually to stay protected


Send Prior Mitigation Report

Send Your report from the previous assessment


Schedule Appointment

Click the link in the instructions below to schedule


Was your Risk Assessment performed over a year ago or close to expiring?

Stay protected by completing your updated Risk Assessment.  

To update your Risk Assessment, follow the instructions below

Step 1:  Send your mitigation report from your previous risk assessment to Bekah either by fax at 877-551-0233 or by email to /   (Your report will be reviewed and you will meet with us to discuss any changes in your office and work that you have completed on your last mitigation plan.  This typically takes about 30-45 minutes.) 


Step 2:  After sending your mitigation report, please schedule your initial meeting by clicking the button below. 


Top 10 Myths of Security Risk Assessment


False. All providers who are "covered entities" under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

The security risk analysis is optional for small providers.


False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Simply installing a certified EHR fulfills the security risk analysis MU requirement.


False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

My EHR vendor took care of everything I need to do about privacy and security.


False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

I have to outsource the security risk analysis.


False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

A checklist will suffice for the risk analysis requirement.


False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

There is a specific risk analysis method that I must follow.


False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager's mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

My security risk analysis only needs to look at my EHR.


False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

I only need to do a securty risk analysis once.


False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

Before I attest for an EHR incentive program, I must fully mitigate all risks.


False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP's year of participation in the program.

Each year, I'll have to completely redo my security risk analysis.

bottom of page