by Mario Fucinari •
DC, CPCO, CPPM •
As the year ends, we take stock of our accomplishments, review the practice’s financial status, and set new goals for the upcoming year. However, amid the hustle of patient care, staff management, and year-end evaluation, one crucial area is often overlooked: the assessment of privacy and security risks to Protected Health Information (PHI). This assessment is not merely an administrative exercise — it is a required component of HIPAA compliance and a vital step in protecting your patients, your practice, and your reputation.
In March 2025, the HHS Office for Civil Rights (OCR) announced it would restart its HIPAA audit program. During the audits, OCR stated that it will review the HIPAA compliance efforts of selected covered entities and business associates, focusing on the HIPAA Security Rule provisions most relevant to hacking and ransomware. Each office must implement its HIPAA compliance program and conduct a risk assessment of its privacy practices and Security Rule compliance, including the Security Risk Assessment Tool version 3.6 (SRA Tool). The SRA tool was designed to enable small- to medium-sized healthcare organizations to comply with the HIPAA Security Law’s security risk assessment requirement. The results of the risk assessment and SRA Tool must be documented, along with a mitigation plan to address any identified deficiencies.
The requirements for covered entities and business associates to conduct risk assessments appear twice in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was established to ensure that healthcare providers maintain the privacy and security of patient health information. Under the HIPAA Security Rule, all covered entities, including chiropractic practices, are required to conduct a risk analysis—an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Advanced technology is designed to make our lives more productive and efficient. Along with the advancements, new threats emerge. Whether you or a large or small practice, use cloud-based electronic health records (EHR), paper records, or a hybrid system, you must still assess your vulnerabilities. The assessment is a method to renew your goals, policies, procedures, and safeguards for the upcoming year.
As healthcare providers, we are entrusted with sensitive patient information. Not only names and addresses, but also detailed health histories, treatment records, insurance data, and even financial information, such as credit card information. A breach of such data can lead to devastating consequences: regulatory fines, legal actions, loss of patient trust, and irreversible harm to your reputation.
The end of the year provides a natural opportunity to review your compliance posture. Just as you analyze your financial statements and practice metrics, assessing HIPAA risks should be part of your annual operational audit. A yearly review ensures that you stay compliant as your systems evolve.
Failure to conduct and document a risk assessment is one of the most common violations cited by OCR during audits and breach investigations. Even if your office has never experienced a data breach, failing to conduct a current risk assessment can result in penalties ranging from thousands to millions of dollars, depending on the level of negligence.
Ransomware, phishing attacks, and AI social engineering are now common threats in the healthcare industry. A single click on a malicious email or an unpatched piece of software could compromise your entire database. An effective HIPAA risk assessment detects these vulnerabilities before they can be exploited.
HIPAA risk assessments are not just about identifying threats—they also reveal inefficiencies in workflows and communication. During an evaluation, you might discover redundant processes, outdated systems, or unnecessary paper handling that can be improved. Increasing efficiency in daily operations should be a primary goal for your practice.
For instance, if your office still relies on fax machines or handwritten logs, transitioning to secure digital systems could enhance both compliance and efficiency. The risk assessment process often leads to improved documentation practices, better access controls, and clearer communication channels — all of which contribute to smoother operations and fewer compliance headaches.
A HIPAA risk assessment should be comprehensive and tailored to your specific practice. It typically involves:
- Identifying all locations and systems that store or transmit PHI – including computers, mobile devices, cloud storage, and paper records. Do you have any billing staff or doctors who work virtually?
- Assessing current safeguards, including access control, encryption, firewalls, and strong passwords.
- Evaluating potential threats and vulnerabilities – both internal (staff errors, lost devices) and external (cyberattacks, natural disasters).
- Developing a risk management plan consisting of corrective actions, assigning responsibilities to oversee processes within the office, and setting timelines.
- Maintain written proof by documenting and reviewing your analysis and updates for regulatory and internal review.
Integrating HIPAA risk assessment into your year-end goals helps make it a regular practice rather than a reactive response to a crisis. Assign a compliance officer, trusted staff member, or certified compliance consultant to manage the process and plan it alongside other administrative checks. Engaging outside tools will provide an objective perspective and ensure that no critical area is overlooked.
Finally, share the assessment results with your entire team. HIPAA compliance is not just the responsibility of the doctor or office manager — it’s a shared duty that requires awareness and participation from every staff member who handles patient information.
As the chiropractic profession continues to embrace technology and digital health records, the responsibility to protect patient information has never been greater. Conducting a thorough HIPAA risk assessment at the end of each year is not just a regulatory requirement — it’s a moral and professional obligation. Make this year-end review a cornerstone of your compliance plan — because protecting patient privacy protects the integrity of your entire practice.
- https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- S. Dept. of Health and Human Services, “HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000” (October 31, 2024) available at https://us.pagefreezer.com/en-US/wa/browse/0a7f82bb-be6e-448a-ae11-373d22c37842?url=https%3A%2F%2Fwww.hhs.gov%2Fabout%2Fnews%2F2024%2F10%2F31%2Fhhs-office-for-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-for-90000-dollars.html×tamp=2025-01-02T07%3A03%3A02Z
Dr. Mario Fucinari is a Certified Professional Compliance Officer, Certified Physician Practice Manager, Certified Insurance Consultant, and a Medicare Carrier Advisory Committee member. As a ChiroHealthUSA Speaker’s Bureau member, Dr. Fucinari travels throughout the year, speaking to audiences nationwide and sharing his chiropractic expertise and insights on best practices in documentation, compliance, billing, and coding. To have Dr. Fucinari speak at your conventions or webinars, contact him at doc@askmario.com or call ChiroHealthUSA for availability.
