“ Both small and large organizations with access to patient health records must perform a HIPAA risk assessment in order to meet HIPAA guidelines. ”