Medical files

HIPAA Risk Analysis: Adhering to the OCR Guidelines

Watch the video >

In this 10-minute video originally posted by Minnesota Hospital Association as a part of their Board Education Videos, Baker Tilly Director, Janice Ahlstrom discusses the security rule and OCR requirements of a HIPAA risk assessment and reviews two industry tools recommended by the OCR. 

Janice discusses the following:

  1. Understand why fines are being levied against organizations related to HIPAA nonconformance
  2. Identify the two tool kits recommended by OCR for conducting HIPAA Risk Assessment
  3. Recognize areas of security risk assessment frequently missed by organizations.

More about the HIPAA risk landscape

HIPAA and healthcare technology have changed significantly over the past twenty years. Covered entities and their business associates face an ever-evolving risk environment in which they must protect electronic protected health information (ePHI). Although healthcare security budgets may increase this year, the cost of implementing and operating adequate security controls to protect an entity’s ePHI far exceeds what is often budgeted. As a result, some ePHI may be under-protected and left vulnerable to data breach. A long-term, consistent and cost-conscious approach to HIPAA compliance is needed.

HIPAA’s role and importance continues to rise with the value of the data it was created to protect. Healthcare providers are increasingly targeted by cybersecurity attacks, and patient data now commands more than credit card accounts on the black market and dark web. 

Risk analysis is a required HIPAA implementation specification. Today, we find a range of compliance issues and tools used to conduct risk analysis when providing services. Often, HIPAA risk assessment reports do not meet the guidance defined by OCR or support complete review of the security rule controls.


Janice Ahlstrom, FHIMSS, CPHIMS, CCSFP, RN, BSN - has over 35 years of healthcare experience.  As a director with Baker Tilly, Janice helps clients to mitigate risk, improve performance and align technology investments to business strategic plans. She assists clients with healthcare internal audit, HIPAA Security and Privacy assessments, SOC 1and 2 audits, DR/BCP and other cybersecurity needs.  Janice has managed selection and implementation of numerous EHR systems in both the inpatient acute care and ambulatory medical practice environments. Additionally, she has served as a clinical educator, nurse manager and has 11 years of clinical nursing experience.

PMA Perspective: Return of manufacturing forum
Next up

PMA Perspective: Return of manufacturing forum