The HIPAA Security Rule requires every covered entity and business associate to conduct a thorough risk assessment. Yet it remains the number one area where organizations fall short during OCR audits. Here's how to get it right.
What Is a HIPAA Risk Assessment?
A HIPAA risk assessment (also called a Security Risk Analysis or SRA) is a systematic evaluation of how your organization creates, receives, maintains, and transmits electronic protected health information (ePHI). Its purpose is to identify vulnerabilities and threats that could compromise patient data.
Key point: This is not optional. It's the single most important requirement under the HIPAA Security Rule, and the OCR checks for it in every investigation.
When Should You Conduct One?
- At least annually — OCR expects regular, ongoing assessments
- When you adopt new technology (new EHR, cloud migration, telehealth platform)
- After a security incident or breach
- When there are environmental or operational changes (new office, remote work policies, M&A activity)
Step-by-Step Process
Step 1: Identify Where ePHI Lives
Map every system, device, and location where ePHI is stored, processed, or transmitted. This includes:
- EHR/EMR systems
- Email servers and cloud storage
- Employee workstations, laptops, and mobile devices
- Paper records that have been digitized
- Third-party vendors and business associates
- Backup systems and disaster recovery sites
Step 2: Identify Threats and Vulnerabilities
For each system identified, document potential threats:
- Human threats: Phishing, social engineering, insider threats, unauthorized access
- Natural threats: Floods, fires, power outages
- Technical threats: Malware, ransomware, system failures, outdated software
- Environmental threats: Physical security gaps, unsecured server rooms
Step 3: Assess Current Security Controls
Document what safeguards you already have in place:
- Access controls (role-based access, MFA)
- Encryption (at rest and in transit)
- Audit logging and monitoring
- Employee training programs
- Physical security measures
- Backup and recovery procedures
Step 4: Determine Risk Levels
For each threat/vulnerability pair, assess:
- Likelihood: How probable is this threat? (High, Medium, Low)
- Impact: What would be the consequence if it occurred? (High, Medium, Low)
- Risk Level: Combine likelihood and impact to assign an overall risk rating
Step 5: Create a Remediation Plan
For each identified risk, document:
- What action will be taken to mitigate the risk
- Who is responsible for the action
- Target completion date
- Priority level based on risk rating
Step 6: Document Everything
OCR doesn't just want you to do a risk assessment — they want to see proof. Maintain written documentation of:
- The scope and methodology of your assessment
- All identified risks and their ratings
- Current controls and their effectiveness
- Your remediation plan and progress
- Sign-off from organizational leadership
Common Mistakes to Avoid
- Using a simple checklist — A checklist is not a risk assessment. OCR wants analysis, not checkboxes.
- Only assessing technical risks — Don't forget physical and administrative safeguards.
- Doing it once and forgetting it — Risk assessments must be ongoing, not a one-time event.
- Ignoring business associates — Your risk assessment should account for how BAs handle your ePHI.
- Not involving leadership — Compliance is an organizational responsibility, not just IT's job.
How HIPAA Security Suite Helps
HIPAA Security Suite includes a built-in risk assessment module that walks you through each step, automatically scores risks, generates remediation plans, and maintains a complete audit trail. No spreadsheets, no guesswork.
Request a demo to see how our risk assessment tools simplify the process.