**2.2 Risks in HIPAA-covered entities**

Research at large has studied risk management of medical information [7–10], but not specifically as related by different HIPAA-covered domains. Recent research [6, 7, 11] explores potential concerns for each legally covered segment based on selfreport to the US Government as required by the HITECH Act. In the sector-specific threat probability-specific research [6, 7, 11] over a one-year interval, the research showed that different the different domains may indeed have different sources of concerns and issues. For example, healthcare providers and business associates have reportedly different higher probability of concerns to alleviate than health plan entities, as shown in **Figure 2** [6]. This indicates that the different domains may need to manage their threats differently by perhaps investing more heavily in different mitigating controls.
