Conducting a security risk analysis is a required measure for all HIPAA covered entities. Eligible professionals must conduct or review a security risk analysis for each reporting period to ensure the privacy and security of their patients’ protected health information.
The latest HIPAA Audit Program results found that 83% of covered entities failed to perform an adequate SRA. Additionally, 94% failed to establish or maintain an information security risk management plan. Failure to perform a risk assessment or conducting an insufficient risk assessment is the leading cause of failing a HIPAA audit.