The requirement for Covered Entities to complete a HIPAA risk assessment is not a new aspect of the Health Insurance Portability and Accountability Act. The requirement was first brought into being in 2003 in the first HIPAA Privacy Rule, and subsequently enhanced to cover the administrative, physical and technical security measures of the HIPAA Security Rule.
In 2013, the Final Omnibus Rule amended the HIPAA Security Rule and specific breach notification clauses of the HITECH Act. The new regulations further enhanced the requirement to conduct a HIPAA risk assessment to Business Associates, and also increased the monetary fine a Covered Entity or Business Associate could be hot with for non-compliance with HIPAA regulations.
Learn more here: