The HHS requires a HIPAA Risk Analysis to include the following 7 components:

1. Scope of the Analysis. All electronic devices an organization uses to create, receive, maintain or transmit electronic Protected Health Information (ePHI) portable media, desktops and networks should be included in the risk analysis. This includes an overview of network security between multiple locations, a spot particularly vulnerable to cybercriminals.
2. Data Collection and Storage. This section of the report reviews how electronic Protected Health Information (ePHI) is received, collected, and stored, determining whether data collection and storage is compliant with HHS regulations.
3. Potential Threats & Risks. This section identifies potential vulnerabilities to an organization’s data management, such as network and computer-based attacks (malicious software uploads or unauthorized access to ePHI); unintentional errors (such as inadvertent or inaccurate data entry or deletion); and IT disruptions (like those due to power failures, environmental disasters, or other scenarios where data access would be inhibited).
4. Current Security Measures. This section reviews an organization’s security measures to protect sensitive data from potential threats and risks. These security measures can be both technical security measures (such as encryption, two-factor authentication, and other technology-based measures) and non-technical (such as organizational policies, procedures, standards, guidelines, and accountability).
5. Likelihood of Threat Occurrence. Through reviewing current security measures and potential threats, this section estimates the likelihood of a security breach or other vulnerability that could put ePHI at risk. This section classifies potential threats as high, medium, or low risk, giving management a clear understanding of which threats need to be addressed first.
6. Potential Impact of Threat Occurrence. This sections reviews potential threats to explain the maximum impact of a threat occurrence (usually in terms of cost and lost time), how many people would be affected, and the kinds of information would be exposed. This can help inform responses based on the kinds of data (for example medical records would reveal different data than billing/payment information and thus require a different response).
7. Determine the Level of Risk. Finally, HIPAA risk management requires understanding the level of risk an organization faces. This information is determined from data produced in sections 5 and 6 of the report. The conclusions in this section can be qualitative or quantitative; the HIPAA risk analysis report does not require a specific type of conclusion, allowing the report to be tailored to the specific needs of an organization.

A properly conducted HIPAA Assessment will allow organization management to easily understand potential threats to sensitive data and what actions are required to reduce the risk of data loss.

HHS recommends organizations conduct a risk analysis periodically. Ideally, a risk analysis will be completed whenever a company implements or plans to adopt new technology or business operations. For example, a new report should be produced when a company switches data storage methods from managed servers to cloud computing, or if a company experiences any ownership or key staff turnover