Why a HIPAA risk assessment is an MSP’s best friend

Art Gross

If you are an MSP and have clients that are required to comply with HIPAA regulations, you should encourage them to perform a HIPAA Risk Assessment. A HIPAA Risk Assessment can drive demand for an MSP's products and services. Let's take a closer look at a HIPAA Risk Assessment and some of the benefits to MSPs.

HIPAA Risk Assessment is a Core Requirement

The HIPAA Security Rule requires organizations to protect the confidentiality, integrity and availability of electronic protected health information (ePHI or patient information). Organizations are required to implement effective and appropriate administrative, physical, and technical safeguards to protect patient information. A core requirement of the HIPAA Security Rule specifies that an organization conduct a HIPAA Risk Assessment/Risk Analysis on how it is currently protecting patient information and implement additional safeguards to further protect patient information. According to The Department of Health and Human Services (HHS):

All ePHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.

Meaningful Use Requirement

If an organization is going for Meaningful Use incentives, which are incentives up to $44,000 per physician for implementing a certified Electronic Health Records system, they are also required to perform a HIPAA Risk Assessment. In order to receive payments, the risk assessment must be done on an annual basis. According to HHS Health Resources and Services Administration (HRSA):

To receive the incentive payments, you must also demonstrate that you have met the criteria for the EHR Incentive Program’s privacy and security objective. This objective, “ensure adequate privacy and security protections for personal health information,” is the fifth and final health policy priority of the EHR Incentive Program. The measure for Stage 1 aligns with HIPAA’s administrative safeguard to conduct a security risk assessment and correct any identified deficiencies. In fact, the EHR Incentive Program’s only privacy and security measure for Stage 1 is to:

Conduct or review a security risk assessment of the certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process.

The risk analysis and risk management process must be conducted at least once prior to the beginning of the EHR reporting period. You will need to attest to CMS or your State that you have conducted this analysis and have taken any corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis.

Risk Assessment Output

The output of a comprehensive HIPAA Risk Assessment includes recommendations that an organization should implement to increase the security of patient information. By performing a HIPAA Risk Assessment, an organization is forced to identify where patient data is stored or transmitted, specify how it is being protected and examine the threats or vulnerabilities to that data. A thorough HIPAA Risk Assessment can identify threats to patient data that could cause security breaches. Implementing the recommendations of a HIPAA Risk Assessment could significantly lower the risk of HIPAA breaches and the potential of penalties for non-compliance with HIPAA regulations.

Common Findings of a HIPAA Risk Assessment

Some of the common findings of a HIPAA Risk Assessment include the following:

  • Lack of encrypted offsite data backup
  • Lack of an implemented and tested disaster recovery plan
  • Lack of email encryption
  • Lack of laptop encryption
  • Lack of mobile device management including encryption (smartphones / tablets / USB drives, etc.)
  • Lack of anti-virus on all endpoints and servers
  • Lack of security patching of servers and desktops
  • Lack of security penetration and vulnerability testing
  • Lack of security incident response procedures

A HIPAA Risk Assessment would determine risks of threats to ePHI and recommend that appropriate security safeguards be implemented to address the above findings and lower the risk to ePHI.

MSPs Can Help Implement the Risk Assessment Recommendations

A HIPAA Risk Assessment can help sell many of the services that MSPs offer. Many of the common findings of a HIPAA Risk Assessment can be addressed by products and services available from MSPs. Typical MSPs core functions include data backup, disaster recovery, anti-virus services and security patching of servers and desktops. MSPs can also play a valuable role in helping organizations with implementing encryption services.

An MSP can also help implement a security incident response plan. An MSP can play a core role in reacting and responding to security incidents including a lost or stolen laptop or smartphone, a hacker breaching an organization’s infrastructure or a virus infiltrating an organization’s network.


A HIPAA Risk Assessment is a core requirement under the HIPAA Security Rule. All HIPAA regulated organizations are required to perform on-going Risk Assessments. The recommendations of a HIPAA Risk Assessment can help sell additional MSP products and services. For example, it is a lot easier to state HIPAA requires a disaster recovery plan that is implemented, documented and periodically tested then it is to sell disaster recovery benefits on its own. While a HIPAA Risk Assessment might not replace your trusted dog, it can be an MSP's best friend.