Why the Risk Assessment Should Be Your First HIPAA Step
Yes. For most small healthcare practices, the HIPAA security risk assessment is the right place to start. It is not the only thing you need to do, but it is the one step that gives everything else a foundation.
Here is why: the security risk assessment tells you what you are actually working with. It identifies where protected health information (PHI) lives, who can access it, what protections are in place, and where the gaps are. Without that information, every other compliance activity — policies, training, vendor management — is built on assumptions instead of evidence.
Practices that skip the risk assessment and jump straight to writing policies end up with generic documents that do not reflect how the office actually operates. Training becomes a checkbox exercise with no connection to real vulnerabilities. Remediation has no anchor because nobody has identified the problems.
The regulatory basis is clear. 45 CFR 164.308(a)(1) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. It is not optional, and it is not something you do after everything else is in place. It is the starting point that the entire Security Rule is built around.
For a small dental office, therapy practice, or billing company that is starting HIPAA compliance from scratch — or restarting after letting it lapse — the risk assessment is where you plant the flag and build from there.
What a Proper Assessment Must Cover
A HIPAA security risk assessment is not a questionnaire you fill out in twenty minutes. It is a structured review of your environment, your technology, your people, and your processes. Here is what it needs to cover.
- Security controls — encryption on laptops and mobile devices, multi-factor authentication (MFA) on systems that access PHI, role-based access controls that limit who can see what. These are the technical safeguards that protect data at rest and in transit.
- Devices — every workstation, laptop, tablet, phone, and server that touches or stores PHI. This includes personal devices used for work, which small practices often overlook.
- User access — who has access to which systems and why. Shared logins are a common finding in small offices. If three people use the same EHR login, there is no way to audit who did what.
- Vendor relationships — cloud-based EHR platforms, IT support providers, billing services, email hosting, and any other vendor that creates, receives, maintains, or transmits PHI. Each of these requires a Business Associate Agreement and some level of security oversight.
- Physical safeguards — who can walk into your office and access a workstation? Are paper records locked? Are screens positioned so patients in the waiting room cannot see them? Physical security matters as much as digital security.
- Where PHI is stored or transmitted — EHR systems, email, fax machines, paper charts, cloud storage, text messages, voicemail. You cannot protect what you have not inventoried.
The blind spots for small practices are predictable. Staff using personal phones to photograph patient documents. Unencrypted email used to send lab results. Fax machines connected to the network with no access restrictions. These are the things a proper security risk assessment will surface.
How Findings Become a Remediation Plan
The risk assessment produces a list of findings. Each finding represents a gap between where you are and where HIPAA requires you to be. The next step is turning those findings into a remediation plan that your team can actually execute.
Each gap gets ranked by risk, which is a function of two factors: how likely the threat is and how much damage it would cause. A clinic with no encryption on laptops that leave the building faces a high-likelihood, high-impact risk. A policy document with formatting issues is low on both scales.
High-risk items with direct PHI exposure get fixed first. That means addressing missing encryption, enabling MFA on systems with patient data, eliminating shared logins, and replacing unencrypted communication channels. These are the findings that would cause the most harm in a breach and draw the most scrutiny in an audit.
Lower-priority items — policy updates, documentation formatting, minor procedural adjustments — get scheduled behind the critical fixes but still need owners and deadlines.
A complete remediation plan includes:
- Policies — new or updated policies that address the specific gaps the assessment identified.
- Training — targeted workforce training on the risks that are relevant to your environment, not generic HIPAA awareness videos.
- Technical changes — configuration updates, new tools, access modifications, and encryption deployment.
- Vendor follow-up — missing BAAs, vendor security reviews, or replacement of non-compliant tools.
Every item in the plan needs an owner and a target date. A remediation plan without accountability is a wish list. For a deeper look at how this process works, see how remediation works after a gap analysis.
What Proof to Save After the Assessment
The risk assessment is only useful if you can prove you did it and prove you acted on it. Auditors do not give credit for work that was never documented.
Here is what to keep:
- The SRA report itself — dated and signed by the person or team that conducted it. It should reference the specific systems, locations, and workflows that were evaluated.
- The remediation plan with assigned owners and target dates — showing that each finding was triaged, prioritized, and assigned to someone with a deadline.
- Updated policies that resulted from findings — if the SRA identified a missing encryption policy, the new encryption policy should reference the assessment that triggered it.
- Training records for issues the SRA uncovered — if the assessment found that staff were using personal devices without authorization, the training that followed should be documented with dates, attendees, and topics.
- Vendor actions taken — new BAAs signed, tools replaced, vendor security questionnaires completed. Anything that resulted from a vendor-related finding needs a record.
The reason dated records matter is that auditors want to see progression. They want to trace a line from the finding to the fix. A risk assessment that sits in a folder with no follow-up tells an auditor the program is not real. A risk assessment with a remediation plan, updated policies, training records, and vendor documentation tells them it is. For the full list of documentation auditors expect, see what auditors expect to see.
When to Bring in Outside Help
Not every practice needs a consultant to conduct a risk assessment. But most small practices benefit from one, and some genuinely need one.
Here are the trigger points:
- No internal HIPAA owner or compliance lead — if nobody on staff has been designated as the person responsible for HIPAA, the assessment will not happen on its own. And even if it does, there is no one to drive the remediation plan.
- Gaps that repeat year after year — if the same findings show up in every assessment and nothing changes, the problem is not the assessment. It is the follow-through. Outside accountability changes the dynamic.
- Vendor complexity — practices using multiple cloud platforms, outsourced IT support, third-party billing services, and hosted EHR systems have a larger attack surface and more BAA relationships to manage. Sorting through that without experience is slow and error-prone.
- Never had a formal SRA — if the practice has been operating for years without a proper security risk assessment, the first one is the hardest. There is no baseline, no prior documentation, and usually a backlog of issues to address.
Bringing in a consultant is not about handing off responsibility. It is about getting the assessment done correctly the first time, with a remediation plan that reflects your actual environment and a process you can maintain going forward. For clinics and vendors that need done-with-you support — not a product pitch — the right consultant works alongside your team, builds your internal capability, and leaves you with a program you can run on your own.
FAQs
Is a HIPAA risk assessment legally required for small practices?
Yes. The HIPAA Security Rule requires every covered entity and business associate to conduct a security risk assessment, regardless of size. There is no exemption for small practices. The scope of the assessment should be proportional to the size and complexity of the organization, but the requirement itself applies to everyone. It is codified in 45 CFR 164.308(a)(1)(ii)(A).
Can we do the risk assessment ourselves or do we need a consultant?
You can do it yourself if you have someone on staff who understands the Security Rule requirements and can objectively evaluate your environment. HHS offers a free Security Risk Assessment Tool for small practices. The challenge is not the tool — it is the expertise to interpret findings, rank risks accurately, and build a remediation plan that actually gets executed. Many small practices find that a consultant accelerates the process and catches blind spots that internal teams miss.
How long does a risk assessment take for a small office?
For a small practice with one or two locations and fewer than twenty employees, a thorough risk assessment typically takes two to four weeks from start to finished report. That includes the initial data gathering, interviews with key staff, system and device inventory, analysis, and report writing. The timeline can stretch if documentation is scattered or if the practice has never done a formal assessment before.
What is the difference between a risk assessment and a gap analysis?
A risk assessment evaluates threats and vulnerabilities to ePHI and assigns risk levels based on likelihood and impact. It is a Security Rule requirement. A gap analysis is a broader review that compares your entire HIPAA program — policies, procedures, training, vendor management — against the full set of regulatory requirements. The risk assessment focuses on security risks. The gap analysis covers operational compliance across all three HIPAA rules. Most practices benefit from doing the risk assessment first, then using a gap analysis to address everything else.
Conclusion
One Guy Consulting helps small healthcare practices and business associates conduct thorough HIPAA security risk assessments and build practical remediation plans. Book a free 30-minute intro to talk through your situation and figure out where to start.