How to Conduct a HIPAA Risk Assessment
Quick Answer
A HIPAA risk assessment is a systematic process to identify threats and vulnerabilities to ePHI, assess their likelihood and impact, and determine appropriate safeguards. It's the single most important HIPAA requirement and the foundation of your entire compliance program.
Why Risk Assessment Is HIPAA's #1 Requirement
The HIPAA risk assessment is the single most critical requirement in the entire HIPAA framework. OCR has stated repeatedly that failure to conduct a thorough risk assessment is the most common HIPAA violation. Every enforcement action, every corrective action plan, every resolution agreement — OCR almost always cites inadequate risk assessment.
Key Takeaways
- Risk assessment is the #1 cited deficiency in OCR enforcement actions
- Required by the Security Rule (§164.308(a)(1)(ii)(A)) — non-negotiable
- Must cover all ePHI across all systems, not just clinical systems
- Must be reviewed and updated at least annually
- Document everything — the assessment itself is evidence of compliance
HIPAA Risk Assessment Step-by-Step
Complete Risk Assessment Process
Identify all ePHI locations
Inventory every system, application, device, and location where ePHI is created, received, stored, processed, or transmitted. Include cloud services, local servers, workstations, mobile devices, email, backups, and paper-to-electronic conversion points.
Identify threats and vulnerabilities
For each ePHI location, identify potential threats (natural disasters, malicious attacks, human error, system failures) and vulnerabilities (unpatched software, weak passwords, lack of encryption, insufficient training).
Assess current security measures
Document existing safeguards for each system: access controls, encryption, monitoring, policies, physical security. Identify gaps where safeguards are missing or insufficient.
Determine likelihood and impact
For each threat-vulnerability pair, assess the likelihood of exploitation (high/medium/low) and the potential impact if ePHI is compromised (high/medium/low). Use a consistent methodology.
Calculate risk levels
Combine likelihood and impact to determine overall risk levels. Common approaches: qualitative (high/medium/low matrix), quantitative (numerical scoring), or hybrid.
Prioritize and plan remediation
Rank risks by severity. Create a risk management plan with specific remediation actions, responsible parties, and timelines. Address high risks first.
Document everything
Create a formal risk assessment report documenting your methodology, findings, risk levels, and remediation plan. This document is evidence of compliance.
Risk Assessment Methodology
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| High Likelihood | Medium Risk | High Risk | Critical Risk |
| Medium Likelihood | Low Risk | Medium Risk | High Risk |
| Low Likelihood | Low Risk | Low Risk | Medium Risk |
Common Risk Assessment Findings
| Finding | Typical Risk Level | Common Remediation |
|---|---|---|
| Unencrypted ePHI at rest | Critical | Enable encryption on all databases, file systems, and devices |
| No or outdated risk assessment | Critical | Conduct comprehensive assessment immediately |
| Lack of access controls | High | Implement RBAC, MFA, and unique user accounts |
| Insufficient audit logging | High | Deploy centralized logging for all ePHI-accessing systems |
| Missing Business Associate Agreements | High | Execute BAAs with all vendors handling ePHI |
| No workforce training | High | Implement annual HIPAA training program |
| Unpatched systems | High | Establish vulnerability management and patching cadence |
| No incident response plan | Medium | Document and test breach response procedures |
| Inadequate backup/recovery | Medium | Implement tested backup and disaster recovery |
| Missing device management | Medium | Deploy MDM on all devices accessing ePHI |
Tools for HIPAA Risk Assessment
- HHS Security Risk Assessment (SRA) Tool: Free tool from HHS designed for small-to-medium practices. Walks through each Security Rule requirement.
- Compliance automation platforms: Vanta, Drata, Secureframe, and Compliancy Group all include HIPAA risk assessment modules.
- NIST SP 800-30: The comprehensive risk assessment methodology referenced by HHS. More detailed than most organizations need, but the gold standard.
- Consultants: HIPAA risk assessment consultants typically charge $5,000-$30,000 depending on organization complexity.
⚠️ Don't Use Generic Templates
OCR has specifically warned against using generic, checkbox-style risk assessments that don't reflect your specific environment. Your risk assessment must identify threats and vulnerabilities specific to YOUR systems, YOUR data flows, and YOUR organization. Generic templates are a starting point, not a finished product.
Risk Assessment Lifecycle
Risk assessment is not a one-time event — it's a continuous process that must be reviewed and updated regularly
Identify
ePHI locations, threats, vulnerabilities
Assess
Likelihood, impact, current safeguards
Remediate
Implement new safeguards, reduce risk
Monitor
Track controls, detect new threats
Review
Annual reassessment, update findings
How often must a HIPAA risk assessment be done?
HIPAA doesn't specify an exact frequency, but OCR guidance and industry best practice is at least annually. You should also reassess after significant changes: new systems, organizational changes, security incidents, or regulatory updates.
Can I do the risk assessment myself?
Yes, especially for smaller organizations. HHS provides a free SRA tool, and compliance platforms include guided risk assessment modules. However, for larger organizations or those with complex environments, engaging a qualified consultant provides more thorough results and third-party credibility.
What's the minimum documentation required?
Your risk assessment documentation should include: scope (systems assessed), methodology (how you assessed risk), findings (threats, vulnerabilities, risk levels), and remediation plan (actions, owners, timelines). There's no required format, but it must be thorough and specific to your organization.
Is a risk assessment the same as a HIPAA audit?
No. A risk assessment is an internal process you conduct (or hire consultants to conduct) to identify and manage risks. A HIPAA audit is a formal examination by OCR or an independent auditor to evaluate your overall compliance. The risk assessment is one component that an audit would review.
Conduct Your HIPAA Risk Assessment
Find tools with guided HIPAA risk assessment modules and automated threat identification.
Browse HIPAA Tools