Action plan · For overdue programs

What to Do If You Haven't Completed a HIPAA Risk Assessment

If your organization has never completed a HIPAA Security Risk Analysis — or your last one is more than 12 months old — this is the prioritized plan to close the gap, document the work, and reduce the risk before someone asks for evidence.

New Security Risk Analysis setup screen with scope checklist, assigned owner, and target completion date
Security Risk Analysis setup with scope, owner, and target completion date.

Why this matters

The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the risks to electronic PHI. "No current risk analysis" is one of the most commonly cited Security Rule findings — and one of the most expensive.

The good news: you do not need to be done. You need to be visibly in progress, with credible scope, ownership, and documentation. That alone changes how covered entities, auditors, and insurers view your risk posture.

The 7-step plan

1. Acknowledge the gap on paper

Write a one-page memo noting that an updated Security Risk Analysis is being initiated, who owns it, and the target completion date. This becomes the first artifact in your file.

2. Define the scope

List every system, location, vendor, and workforce role that touches ePHI. Without an explicit scope, the assessment will drift and never end.

3. Inventory ePHI flows

Walk through how ePHI enters, moves, is stored, and leaves your organization — EHR, billing, telehealth, email, backups, mobile devices.

4. Run a guided assessment

Use a guided platform (or a qualified consultant) so you are not interpreting every Security Rule requirement from a blank document.

5. Score, prioritize, and remediate

Rank findings by likelihood and impact. Track each item to closure — this is the "Risk Management" half of the rule that auditors actually look for.

6. Document everything

Decisions, dates, owners, and evidence. A risk analysis without documentation is, for audit purposes, no analysis at all.

7. Put it on a schedule

The Security Rule expects ongoing assessment. Set a recurring annual cadence — and trigger off-cycle reviews after major changes.

Reality check: the goal of step 1 is not paperwork theater. It is a written commitment with a date. That single artifact, dated today, changes the conversation if a covered entity, auditor, or insurer asks where you stand this week.

How HIPAA Security Suite helps

StepHow the platform helps
Define scope & inventoryGuided questionnaires walk you through systems, locations, vendors, and workforce.
Run the assessmentStructured Security Risk Analysis with built-in questions, scoring, and remediation suggestions.
Score & prioritizeFindings are ranked so you focus on what matters first.
Remediation trackingEvery finding gets an owner, due date, and evidence trail.
Technical safeguardsNSS Agent endpoint scanning, breached-credential monitoring, and CISA KEV tracking surface technical risks automatically.
Documentation & reportingAssessment history, remediation log, and audit-ready report — produced from one workspace.

Frequently asked questions

Is a HIPAA Security Risk Analysis required?

Yes. The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.

What is the penalty for not having a current HIPAA risk assessment?

OCR can issue significant civil monetary penalties for HIPAA Security Rule violations, and "no current risk analysis" is among the most commonly cited findings. Penalties scale with the severity, scope, and culpability of the violation.

How long does a HIPAA risk assessment take?

With a guided platform, a small practice can complete an initial Security Risk Analysis in a matter of days of focused work plus follow-up remediation. Without one, it can take much longer.

What if a covered entity or auditor asks before we are done?

Document that an assessment is actively in progress with a defined scope, owner, timeline, and remediation plan. An in-progress program with credible evidence is dramatically better than a blank page.

Get your risk assessment moving this week

HIPAA Security Suite gives you a guided Security Risk Analysis, remediation tracking, technical-safeguard visibility, and audit-ready documentation in one workspace.