HIPAA Security Risk Assessment
Posted: March 28, 2026 to Compliance.
Why the Risk Assessment Is HIPAA's Most Critical Requirement
The HIPAA security risk assessment is not just another compliance checkbox. It is the foundation that drives every other security decision in your organization. The HHS Office for Civil Rights has made risk assessment deficiencies the number one finding in enforcement actions, with multiple million-dollar settlements resulting from inadequate or missing risk assessments.
A thorough risk assessment tells you where your ePHI is, what threatens it, how vulnerable you are, and what you need to do about it. Without this information, every other security measure is guesswork.
Risk Assessment Methodology Overview
The HHS guidance on risk analysis outlines the required methodology. This guide breaks each step into actionable tasks.
Process Overview
| Step | Purpose | Output |
|---|---|---|
| 1. Scope definition | Define what is being assessed | Scope document |
| 2. Data inventory | Identify all ePHI locations | ePHI inventory |
| 3. Threat identification | Identify potential threats | Threat catalog |
| 4. Vulnerability assessment | Identify weaknesses | Vulnerability register |
| 5. Control evaluation | Assess existing safeguards | Control effectiveness ratings |
| 6. Likelihood determination | Rate probability of threats | Likelihood ratings |
| 7. Impact analysis | Rate potential damage | Impact ratings |
| 8. Risk calculation | Combine likelihood and impact | Risk scores |
| 9. Risk response | Decide how to address risks | Risk management plan |
| 10. Documentation | Record everything | Complete risk assessment report |
Step 1: Define the Scope
Every system, application, and process that creates, receives, maintains, or transmits ePHI must be included in your assessment scope.
Scope Checklist
- Electronic health records (EHR) system
- Practice management software
- Email systems used for PHI communication
- Medical devices that store or transmit patient data
- Cloud services that process or store ePHI
- Mobile devices used by staff for PHI access
- Network infrastructure (routers, switches, firewalls, Wi-Fi)
- Workstations and laptops used to access ePHI
- Backup systems containing ePHI copies
- Physical locations where ePHI is stored or accessed
- Paper records (if being converted to or from electronic)
- Business associate systems that handle your ePHI
Step 2: ePHI Data Inventory
Document every place ePHI resides, including locations most organizations overlook.
Commonly Overlooked ePHI Locations
- Voicemail systems with patient messages
- Fax servers and multifunction printer hard drives
- Staff personal devices (BYOD)
- Appointment scheduling platforms
- Patient portals and communication apps
- Billing and claims processing systems
- Analytics and reporting databases
- Development and testing environments using real data
- Former employee devices not yet returned or wiped
Data Flow Mapping
For each system, document how ePHI flows in and out. This reveals transmission paths that need encryption and handoff points that need access controls.
Step 3: Identify Threats
Threat Categories
| Category | Examples |
|---|---|
| Natural | Floods, hurricanes, earthquakes, power outages |
| Human (intentional) | Hackers, ransomware, insider theft, social engineering |
| Human (unintentional) | Employee errors, misdirected emails, lost devices |
| Environmental | Power failures, HVAC failures, water damage |
| Technical | System failures, software bugs, network outages |
Current Threat Landscape for Healthcare
- Ransomware targeting healthcare (increased 300% in recent years)
- Phishing attacks impersonating EHR vendors, insurance companies, and colleagues
- Insider threats from disgruntled employees or those with excessive access
- Medical device vulnerabilities (unpatched firmware, default credentials)
- Business email compromise targeting billing and accounts payable
Need Help?
Schedule a free consultation or call 919-348-4912.
Step 4: Identify Vulnerabilities
Assessment Methods
- Technical scanning: Automated vulnerability scans of networks, systems, and applications
- Configuration review: Compare system configurations against CIS benchmarks and vendor guidelines
- Policy review: Evaluate written policies against HIPAA requirements
- Staff interviews: Assess awareness of security procedures and potential workarounds
- Physical inspection: Walk through facilities checking physical safeguards
- Penetration testing: Simulate real attacks to find exploitable weaknesses
Common Healthcare Vulnerabilities
- Unpatched systems (especially legacy medical devices)
- Weak or shared passwords
- Lack of network segmentation between clinical and administrative networks
- Missing encryption on portable devices and email
- Inadequate backup testing (backups exist but have never been restored)
- Excessive user permissions (staff with access beyond their role)
- Missing or incomplete audit logging
Step 5: Evaluate Existing Controls
For each threat-vulnerability pair, evaluate the effectiveness of current controls.
Control Effectiveness Scale
| Rating | Description |
|---|---|
| Effective | Control fully mitigates the risk. Tested and verified |
| Partially effective | Control reduces but does not eliminate the risk |
| Ineffective | Control exists but does not meaningfully reduce the risk |
| Missing | No control exists for this threat-vulnerability pair |
Steps 6-8: Risk Calculation
Likelihood Rating
| Level | Description | Score |
|---|---|---|
| Very Low | Unlikely to occur | 1 |
| Low | Possible but not expected | 2 |
| Medium | Could reasonably occur | 3 |
| High | Likely to occur within the assessment period | 4 |
| Very High | Almost certain to occur | 5 |
Impact Rating
| Level | Description | Score |
|---|---|---|
| Minimal | Minor inconvenience, no PHI exposure | 1 |
| Low | Limited PHI exposure, minimal harm | 2 |
| Medium | Significant PHI exposure, moderate harm | 3 |
| High | Large-scale PHI exposure, substantial harm | 4 |
| Critical | Catastrophic PHI exposure, severe patient harm, regulatory action | 5 |
Risk Level = Likelihood x Impact
- Critical (20-25): Immediate action required
- High (12-19): Address within 30 days
- Medium (6-11): Address within 90 days
- Low (1-5): Address during normal operations
Step 9: Risk Response and Management Plan
For each identified risk, select a response strategy and document specific actions.
Response Strategies
- Mitigate: Implement controls to reduce risk to an acceptable level
- Accept: Acknowledge the risk and document the rationale (only for low risks)
- Transfer: Shift risk to another party (cyber insurance, business associate)
- Avoid: Eliminate the risk by changing the process or technology
Management Plan Template
For each risk requiring mitigation:
- Description of the risk
- Current risk level
- Planned remediation action
- Responsible person
- Target completion date
- Expected residual risk level after remediation
- Status tracking
Step 10: Documentation
The final risk assessment report must be comprehensive, dated, and retained for 6 years. It should include all of the above steps plus an executive summary, methodology description, and sign-off from organizational leadership.
Our HIPAA compliance team conducts thorough risk assessments using industry-standard methodology, producing documentation that satisfies OCR requirements and provides actionable remediation roadmaps.
For additional guidance, also see our penetration testing services which complement the risk assessment with hands-on technical validation of your security controls.
Frequently Asked Questions
Can I use a free risk assessment tool?
HHS provides a free Security Risk Assessment Tool (SRA Tool) suitable for small practices. Larger organizations typically need more sophisticated tools or professional assessors. Regardless of the tool used, the methodology and documentation requirements remain the same.
How long does a risk assessment take?
For a small practice (5-20 employees), a thorough assessment takes 2-4 weeks. For mid-sized organizations, 4-8 weeks. For large healthcare systems, 8-16 weeks. These timelines include data gathering, analysis, and documentation.
What happens if OCR finds our risk assessment inadequate?
An inadequate risk assessment is one of the most cited findings in OCR enforcement actions. Penalties can range from corrective action plans to multi-million-dollar settlements. Failure to conduct a risk assessment at all has resulted in some of the largest HIPAA fines in history.
Do business associates need their own risk assessment?
Yes. Business associates are independently responsible for conducting their own HIPAA risk assessments covering the ePHI they create, receive, maintain, or transmit. Covered entities should verify their business associates have completed this requirement.
Should I hire a professional or do it in-house?
Small practices with simple IT environments can use the HHS SRA Tool for in-house assessment. Organizations with complex environments, multiple locations, or high-risk profiles benefit significantly from professional assessment. External assessors bring objectivity and expertise that internal teams may lack.
What is the relationship between risk assessment and penetration testing?
The risk assessment identifies and evaluates risks at a strategic level. Penetration testing validates specific technical vulnerabilities by attempting to exploit them. They are complementary: the risk assessment identifies what to test, and penetration testing verifies whether controls actually work.
Need Help?
Schedule a free consultation or call 919-348-4912.
