hipaa-risk-analysis

Installation
SKILL.md

HIPAA Risk Analysis — 45 CFR §164.308(a)(1)

Overview

The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization. Risk analysis under §164.308(a)(1)(ii)(A) is the foundational requirement of the Security Rule — it drives all subsequent safeguard decisions. OCR has identified failure to conduct a comprehensive, enterprise-wide risk analysis as the most common finding in breach investigations and compliance reviews. The risk analysis must be ongoing, not a one-time event, and must be updated whenever significant changes occur in the environment or in response to security incidents.

Legal Foundation

Regulatory Text

45 CFR §164.308(a)(1)(ii)(A) — Risk Analysis (Required):

"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

45 CFR §164.308(a)(1)(ii)(B) — Risk Management (Required):

"Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a)."

OCR Guidance Documents

OCR published "Guidance on Risk Analysis Requirements under the HIPAA Security Rule" (July 14, 2010) establishing nine essential elements that an adequate risk analysis must address. This guidance, while not binding regulation, represents OCR's enforcement expectations and has been consistently applied in settlement agreements and corrective action plans.

Installs
10
GitHub Stars
187
First Seen
May 26, 2026
hipaa-risk-analysis — mukul975/privacy-data-protection-skills