HIPAA Risk Scores Made Simple: How to Measure and Improve Compliance

Why HIPAA Requires Risk Assessments

The HIPAA Security Rule (§164.308(a)(1)(ii)(A)) requires covered entities to conduct periodic risk assessments to identify threats and vulnerabilities to electronic Protected Health Information (ePHI). This isn't optional—it's a foundational requirement.

Risk assessments help you:

• Identify security gaps before they're exploited
• Prioritize improvements based on actual risk
• Document compliance efforts for audits
• Reduce cyber insurance premiums
• Avoid penalties from HHS Office for Civil Rights

The Three Pillars of HIPAA Security

1. Administrative Safeguards

Policies, procedures, and training that govern data security:

• Security officer designation
• Risk assessment and management processes
• Workforce security awareness training
• Incident response plan
• Business Associate Agreements (BAAs)
• Access control policies

2. Technical Safeguards

Technology controls that protect ePHI:

• User authentication (passwords, MFA)
• Encryption of data at rest and in transit
• Audit logging and monitoring
• Automatic logoff after inactivity
• Secure data transmission (VPN, encrypted email)

3. Physical Safeguards

Controls to protect physical access to systems and facilities:

• Facility access controls (locks, badges)
• Workstation security (screen locks, positioning)
• Device and media controls (secure disposal, encryption)
• Visitor logs and restricted areas

How Risk Scores Work

Risk assessments evaluate each safeguard on a scale to produce an overall security score:

Common Scoring Framework

• 90-100%: Low Risk (comprehensive controls in place)
• 70-89%: Medium Risk (some gaps, improvements needed)
• 50-69%: High Risk (significant vulnerabilities)
• Below 50%: Critical Risk (immediate action required)

Common Risk Factors in Dental Practices

High-Risk Areas

• No Multi-Factor Authentication: #1 cause of credential theft
• Unencrypted email: PHI sent via standard email
• No Business Associate Agreements: Missing BAAs with vendors
• Weak passwords: Simple, shared, or reused passwords
• No security training: Staff unaware of phishing threats
• Outdated software: Unpatched systems vulnerable to exploits
• No incident response plan: No documented breach procedures

How to Conduct a Risk Assessment

Step 1: Inventory ePHI Locations

Identify everywhere patient data is stored or transmitted:

• Practice management software
• Imaging and X-ray systems
• Email and cloud storage
• Backup systems
• Mobile devices
• Paper records (if scanned)

Step 2: Identify Threats and Vulnerabilities

• External threats: Hackers, ransomware, phishing
• Internal threats: Employee error, malicious insiders
• Environmental: Fire, flood, power outages
• System failures: Hardware crashes, software bugs

Step 3: Assess Current Safeguards

For each requirement, evaluate:

• Is the safeguard implemented?
• How effective is it?
• Is it documented and tested?

Step 4: Determine Risk Level

Calculate likelihood and impact:

• Likelihood: How likely is this threat to occur?
• Impact: How severe would a breach be?
• Risk = Likelihood × Impact

Step 5: Create an Action Plan

Prioritize mitigations based on risk score:

• High-risk items: Immediate action (30 days)
• Medium-risk items: Short-term improvements (90 days)
• Low-risk items: Ongoing monitoring or accepted risk

Step 6: Document Everything

HIPAA compliance requires documentation:

• Date of assessment
• Who conducted it
• Findings and risk scores
• Mitigation plan and timeline
• Completed remediation actions

Quick Wins to Improve Your Risk Score

1. Enable Multi-Factor Authentication (MFA)

Immediately reduces credential theft risk by 99.9%. Enable on:

• Email (Microsoft 365, Google Workspace)
• Practice management software
• Cloud storage
• Remote access (VPN)

2. Encrypt Email Communications

Use secure email tools for PHI:

• Microsoft 365 Message Encryption
• Google Workspace confidential mode
• Third-party encrypted email (Paubox, LuxSci)

3. Obtain Business Associate Agreements

Ensure all vendors with access to PHI have signed BAAs:

• Practice management software vendor
• Cloud backup provider
• IT support company
• Email and hosting providers
• Billing and collections services

4. Conduct Security Awareness Training

Annual training is required. Cover:

• Recognizing phishing emails
• Password security
• Physical security (locking workstations)
• Incident reporting procedures

5. Implement Automatic Logoff

Configure workstations to lock after 5-10 minutes of inactivity. This prevents unauthorized access when staff step away.

How Often Should You Conduct Risk Assessments?

HIPAA doesn't specify frequency, but best practices recommend:

• Annually: Comprehensive full assessment
• When significant changes occur: New software, office move, new location
• After security incidents: Breach, phishing attack, system compromise
• Before major technology changes: EHR migration, cloud adoption

What Happens If You Don't Conduct Risk Assessments?

HIPAA Enforcement

Failure to conduct risk assessments has been cited in numerous HHS enforcement actions. Penalties range from $100 to $50,000 per violation, with annual maximums reaching $1.5 million.

Breach Notification Consequences

If a breach occurs and you have no documented risk assessment, it demonstrates willful neglect—triggering higher penalties and mandatory corrective action plans.

Cyber Insurance Implications

Most cyber insurance policies require annual risk assessments. Without documentation, claims may be denied.

Conclusion

HIPAA risk assessments aren't just bureaucratic exercises—they're practical tools for identifying and addressing security gaps before they lead to breaches. By conducting annual assessments and implementing recommended mitigations, you protect patient data, demonstrate compliance, and reduce the likelihood of costly incidents.

Start with our HIPAA Risk Score Tool to get a baseline assessment, then create an action plan to address high-risk areas. Document everything, and review progress quarterly to ensure continuous improvement.