The HIPAA Risk Assessment Is the First Thing OCR Looks For
When the Office for Civil Rights investigates a breach or complaint, they ask for your risk assessment first. Not your policies. Not your training logs. Your risk assessment. If you cannot produce one, OCR will flag that as a violation.
An outdated or incomplete assessment is almost as bad. A generic template you filled in quickly will not pass scrutiny. OCR expects a detailed, practice-specific analysis. It must cover every system, every threat, and every weakness. A three-page checklist will not work.
This guide shows what a risk assessment actually covers. It explains how to think about the process. Most importantly, it shows where DIY approaches fail. If you want a free starting point, read on. If you realize this is bigger than expected, OGC offers a security risk assessment service for exactly that situation.
What Is a HIPAA Risk Assessment
A HIPAA risk assessment identifies, analyzes, and documents the risks to your electronic protected health information (ePHI). This is not a one-time task. It is ongoing work that forms the foundation of your entire HIPAA compliance program.
The legal requirement is in the HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A). This regulation requires you to:
- Conduct a thorough assessment of risks to ePHI confidentiality, integrity, and availability
- Document the assessment in writing
- Implement security measures to reduce risks to acceptable levels
- Keep records of the assessment and measures you implement
The rule does not dictate a specific format or method. That is intentional. A solo dental practice faces different risks than a behavioral health group with 200 employees. But flexibility does not mean you can skip the work. OCR has published detailed guidance on what a compliant assessment looks like. They hold all organizations to that standard regardless of size.
To understand the risk assessment, you need to know the bigger Security Rule picture. The HIPAA Security Rule compliance guide covers all the requirements. The risk assessment is how you figure out which safeguards your organization actually needs.
What a Risk Assessment Must Include
HHS has published guidance on what a compliant assessment must cover. Each area below is required. If your current assessment is missing any of these, it is incomplete by federal standards.
Asset Inventory
You cannot assess risk if you do not know where ePHI lives. Start by listing every system, device, application, and location that handles ePHI.
This includes obvious items like your EHR and practice management software. But it also includes less obvious ones: fax machines that receive referrals, laptops used for telehealth, phones used for appointment reminders, cloud storage for billing documents, and portable devices like tablets or external drives.
For each item, document what ePHI it holds. Note who has access. Show how it connects to other systems. List the controls already in place. Most practices are surprised how many systems appear once they work through this systematically.
Threat Identification
A threat is any event that could harm your ePHI. Threats can be human or environmental. They can be intentional or accidental.
Common healthcare threats include:
- Ransomware and malware attacks
- Phishing emails targeting your staff
- Unauthorized access by employees
- Theft of laptops, phones, or storage devices
- Vendor or business associate breaches
- Natural disasters affecting servers or filing systems
- Power outages causing data loss
- Accidental disclosure by staff (wrong fax number, misdirected email)
- System misconfigurations that expose data
Your threat list should fit your environment. A practice in a flood zone has different physical threats than one in a high-rise. Cloud-based EHRs have different technical threats than on-premises servers.
Vulnerability Assessment
A vulnerability is a weakness that a threat could exploit. Identifying threats shows what could go wrong. Identifying vulnerabilities shows how it could happen.
Vulnerabilities include outdated software with unpatched flaws. Weak passwords. No multi-factor authentication. Unencrypted laptops. Poor staff training. Missing Business Associate Agreements. Weak physical access controls. Start with a HIPAA gap analysis to identify which of these apply to your organization, then use a structured remediation plan to close the gaps. Start with a HIPAA gap analysis to identify which of these apply to your organization, then use a structured remediation plan to close the gaps. Start with a HIPAA gap analysis to identify which of these apply to your organization, then use a structured remediation plan to close the gaps.
For each system and threat combination, ask: what weaknesses exist? How could this threat succeed? Encryption requirements matter here. An unencrypted device becomes much riskier if it gets stolen.
Current Controls
Document what controls you already have. Before you can measure risk, you need a baseline. Current controls include technical safeguards (firewalls, encryption, access logs). They include administrative safeguards (policies, training, agreements). They include physical safeguards (locks, visitor logs, workstation placement).
This step gives you a realistic picture of where you stand today. It directly affects the next step, because your current controls determine whether a threat will likely succeed.
Likelihood and Impact Rating
For each threat-vulnerability pair, assign two ratings: likelihood and impact.
Likelihood is the probability that a threat will exploit a vulnerability, given what you have in place. HHS suggests rating this as high, medium, or low. Many organizations use numbers (1-5 or 1-10) instead.
Impact measures the harm if the threat succeeds. Consider the sensitivity of the ePHI. Count how many records are at risk. Think about patient harm. Include financial and reputation damage. Include operational disruption.
These ratings require judgment. Document your reasoning for each one. Do not assign "low" to everything to avoid more work. OCR looks for evidence that you actually did the analysis.
Risk Level Determination
Combine likelihood and impact to get an overall risk level for each threat-vulnerability pair. Most frameworks use a risk matrix. High likelihood plus high impact equals critical or high risk. Low likelihood plus low impact equals low risk.
Risk level drives what you fix first. A critical risk needs immediate action. A low risk may be acceptable to monitor, as long as you document that decision.
Remediation Plan
The assessment is not complete when you finish analyzing. You must document what you will do about each risk.
For each medium or high risk, document: the control you will add. Who is responsible. When it will be done. What risk will remain after. This plan is a living document. Update it as you implement controls and discover new risks.
Most free templates stop at risk ratings. The remediation plan is where the real work happens. It is also where documentation gaps show up during OCR investigations.
A Step-by-Step Framework
HHS guidance aligns with the NIST Special Publication 800-30 framework for security risk assessments. Below is a nine-step process. This is not a template to fill in. It describes what each step involves.
Step 1 - Define the scope. List all organizational units, locations, and systems that handle ePHI. Document what is in scope and what is out of scope with reasons. A single-location practice may include every system. A multi-site organization may divide by location or department.
Step 2 - Collect data. Gather documentation on all in-scope systems. This includes network diagrams, vendor contracts, data flow diagrams, existing policies, prior audits, and available system logs. Build an accurate picture of your environment before you analyze it.
Step 3 - Identify and document ePHI. For each system and location, document what ePHI lives there. Note the format (electronic, paper, verbal). Record the volume and sensitivity level. Show how information flows between systems.
Step 4 - Identify threats. Use your asset inventory and ePHI documentation to identify realistic threats to each asset. Reference threat lists from NIST and HHS. Add threats specific to your environment, your geography, and your workforce.
Step 5 - Identify vulnerabilities. For each threat, identify weaknesses that could allow it to succeed. Use vulnerability databases like NIST NVD for technical flaws. Review policies and observe your sites to identify administrative and physical weaknesses.
Step 6 - Assess current controls. Document all existing technical, administrative, and physical safeguards. Evaluate whether each control is fully implemented, partially implemented, or just planned. A control that exists on paper but is not enforced does not reduce actual risk.
Step 7 - Determine likelihood and impact. For each threat-vulnerability pair, rate likelihood and impact using your scale. Document your reasoning for each rating. Ratings without reasoning will not survive scrutiny.
Step 8 - Determine risk levels. Apply your risk matrix to combine likelihood and impact. Create a prioritized list of risks from highest to lowest.
Step 9 - Document and implement remediation. For each risk, decide: will you mitigate it (add a new control)? Will you transfer it (shift responsibility to a vendor)? Will you accept it (formally acknowledge it as acceptable)? Will you avoid it (change the process to eliminate it)? For mitigation actions, document the responsible party, timeline, and expected remaining risk.
This process is significant work. A solo practice with simple technology might spend 8-12 hours. A group practice or multi-site organization might take weeks. The detailed guide on conducting a risk assessment covers each step with practical examples.
Why Free Templates Often Fall Short
Free risk assessment templates are easy to find. HHS publishes one. NIST has guidance. Dozens of vendors offer downloadable spreadsheets and Word documents. The problem is not the templates. It is how practices use them.
Generic templates do not fit your practice. A pediatric solo practice has different risks than a behavioral health group with 15 clinicians. A generic template cannot account for your specific systems, threats, or patient population. When you fill one in, you force your situation into someone else's framework. The gaps you create are exactly what OCR finds.
Most templates treat this as one-time work. They provide fields to fill in. They offer no way to track remediation over time. There is no process for annual updates. There is no mechanism for documenting changes that trigger a new assessment. HIPAA requires ongoing risk management, not a document you complete once and file away.
Free templates skip remediation tracking. Risk assessment has two parts: identify threats and rate likelihood (the analysis). Document what you will do about each risk and track completion (the remediation). Many templates stop at the rating step. They provide no structure for the remediation plan, assignment of responsibilities, or completion tracking.
They will not hold up in an OCR audit. OCR looks for evidence of genuine analysis. They look for identical ratings across categories, or identical threats for every organization. A template-like assessment signals you went through the motions instead of doing the work. An audit will likely find compliance gaps.
Business associates and vendors are often missing. Most free templates focus on internal systems. They overlook third-party risk. Your EHR vendor, billing company, IT provider, and any other business associate that handles ePHI are part of your risk. The most common HIPAA violations include inadequate vendor oversight. A template that ignores business associate risk will miss this entirely.
The HIPAA compliance checklist is useful to confirm which requirements you have addressed. But a checklist is not a substitute for a risk assessment. A checklist shows whether something is done. A risk assessment shows whether it is sufficient.
Common Risk Assessment Mistakes
Even organizations that complete a risk assessment often make mistakes that undermine it. These are the most common ones.
Treating It as a One-Time Task
HIPAA requires ongoing risk management. The Security Rule explicitly requires reassessment when your environment or operations change. Completing an assessment in 2022 and never updating it does not meet the requirement in 2026.
Practices often complete their first assessment to pass an audit. Then they never touch it again. When a breach happens two years later, the outdated assessment can work against them. It shows they identified risks but took no action to update controls as their environment changed.
Ignoring Physical Risks
The HIPAA Security Rule covers confidentiality, integrity, and availability of ePHI. Physical risks are in scope. Stolen devices. Unauthorized physical access to server rooms. Workstations visible to patients in waiting areas. Unsecured paper records.
Technology-focused organizations tend to excel at technical risk assessment. They often do weak physical assessments. A practice with strong passwords and encrypted laptops but a visible workstation in the waiting room has an incomplete picture. Physical safeguards exist in the Security Rule for a reason.
Skipping Business Associates
Your business associates are part of your risk. If your billing company is breached, your patients' ePHI is exposed. You are responsible for ensuring a Business Associate Agreement is in place. You must verify the vendor has adequate security controls.
A complete risk assessment includes all business associate relationships. Who are they? What ePHI do they access? What agreements do you have? What controls do they have in place? Many practices have agreements on file but have never verified whether the vendor's actual security matches what the agreement requires.
Not Documenting Remediation
Identifying risks is necessary. But it is not sufficient. The remediation plan is what turns the assessment from a compliance exercise into actual risk reduction. Assign responsibilities. Set timelines. Plan follow-up activities.
Organizations that do thorough analysis but skip remediation documentation are in trouble if OCR investigates. You can show you knew about the risks. You cannot show you did anything. The HIPAA violations and penalties guide makes clear why remediation matters. "We identified the risk but did not address it" is not a defense.
Using a Checklist Instead of an Analysis
A checklist confirms whether a control exists. An analysis evaluates whether the control is adequate for your specific risks. These are different activities.
A practice can answer "yes" to every checklist item and still have unacceptable risks. The controls in place must be sized for the threats you face. Risk assessment requires analysis. It requires you to reason about likelihood and impact in your specific environment. It is not just confirmation that certain policies exist.
How Often Should You Update Your Risk Assessment
The Security Rule requires periodic review and update. HHS guidance and OCR enforcement have established clear triggers.
At a minimum, annually. Even if nothing has changed, an annual review is best practice. OCR increasingly expects it. The annual review confirms your assessment reflects your current environment. It verifies all remediation actions are on track.
After any significant environmental change. Adding a new EHR or practice management system. Migrating to cloud storage. Opening a new location. Bringing on a new business associate. Implementing a new telehealth platform. Major network infrastructure changes. Each alters your risk surface. New threats or vulnerabilities may emerge that your assessment does not cover.
After any security incident or breach. A breach shows your controls were insufficient. After any incident - whether reportable or not - revisit your assessment. Identify what controls failed. Find what new risks were exposed. Decide what needs to change. Operating from a pre-breach assessment after a known incident is a compliance failure.
After significant workforce changes. Adding staff. Experiencing turnover. Changing roles and access. These alter your risk profile. Growing from 5 to 25 employees creates different insider threats than your original team faced.
The HIPAA compliance starter kit for small practices covers minimum ongoing maintenance. Risk assessment updates are core to that cycle. Budget for compliance includes assessment update costs. The HIPAA compliance cost breakdown shows what practices typically spend on assessments - DIY or professional - and how these costs compare to breach costs or OCR fines.
Frequently Asked Questions
Is a HIPAA risk assessment the same as a HIPAA audit?
No. A risk assessment is proactive and internal. You conduct it to identify and address ePHI risks. An audit is external review by OCR, a compliance officer, or a third party. It evaluates whether you have met HIPAA requirements. An audit will verify you did a risk assessment. But they are different activities.
Does a small practice really need a full risk assessment?
Yes. The HIPAA Security Rule applies to all covered entities regardless of size. The requirement scales. A smaller practice may have fewer assets and simpler workflows, which makes the assessment shorter. But the requirement to conduct, document, and act on a risk assessment is the same for everyone. OCR has fined solo practitioners and small groups for failure to conduct assessments. Size is not a defense.
Can I use the HHS Security Risk Assessment Tool?
The HHS SRA Tool is a good starting point. It is better than many templates because it was designed specifically for HIPAA. But using the tool requires meaningful analysis. You cannot simply click through the questions without substantive reasoning about your environment. The tool requires you to add remediation tracking on top of what it generates. For small and medium practices, it can work if you invest the time. For complex environments, professional help usually produces more defensible results.
What happens if I do not have a risk assessment and get audited?
Failure to conduct a risk assessment violates 45 CFR 164.308(a)(1)(ii)(A). In every reported OCR settlement involving a missing or inadequate assessment, the organization paid a penalty. Fines range from tens of thousands for small practices to millions for larger ones. OCR also typically requires a corrective action plan - a multi-year compliance program with ongoing monitoring and reporting.
How is a risk assessment different from a gap analysis?
A gap analysis compares your current compliance against the full HIPAA Security Rule and identifies shortfalls. A risk assessment focuses on threats and vulnerabilities to ePHI and the controls you need. In practice, they overlap significantly. A thorough risk assessment will surface many of the same gaps. Our HIPAA gap analysis guide walks through the gap analysis process step by step for small practices. The OGC Security Risk Assessment combines both approaches. It produces a compliant risk assessment and identifies your compliance gaps in a single engagement.
The Bottom Line on Risk Assessment Templates
A risk assessment template can help you understand the process structure. This guide has walked through what a compliant assessment covers. It describes the nine steps involved in thorough analysis.
But understanding the structure and completing a compliant assessment are different. The analysis work requires genuine, documented judgment. You must assess likelihood and impact for your specific environment. You must identify vulnerabilities in your actual systems. You must track remediation over time. You cannot do this by filling in a form.
Most practices that use a free template end up with a document that documents their effort more than their actual risk. It may check an internal box. It will not satisfy OCR.
If you are ready to complete a risk assessment that will hold up, choose one that covers all required components. Make it specific to your practice. Include a documented remediation plan. OGC offers a Security Risk Assessment service built for exactly this. It is a professional, structured engagement. It produces the documentation OCR expects. It gives you a clear roadmap for closing your compliance gaps.
If you want to know where you stand before committing to a full assessment, the HIPAA compliance checklist is a useful starting point for finding obvious gaps.
What Your Risk Assessment Report Should Include
When OCR requests your risk assessment documentation, they expect a structured, audit-ready report. At minimum, your report should include:
- Executive Summary. A high-level overview of scope, methodology, key findings, and overall risk posture.
- Methodology Description. How the assessment was conducted, who participated, what tools or frameworks were used, and the time period covered.
- Asset and ePHI Inventory. A complete list of systems, applications, and locations where ePHI is created, received, maintained, or transmitted.
- Threat and Vulnerability Analysis. Identified threats paired with vulnerabilities, rated for likelihood and impact.
- Current Safeguard Evaluation. Documentation of existing administrative, physical, and technical safeguards and their effectiveness against identified threats.
- Risk Register. A prioritized list of all identified risks with risk levels, assigned owners, and remediation status.
- Remediation Plan. Specific action items with target completion dates, responsible parties, and resource requirements.
- Appendices. Supporting documentation including interview notes, scan results, policy references, and prior assessment comparisons.
The risk assessment is not optional. It is the foundation for every other HIPAA requirement. Getting it right from the start - with proper documentation and analysis - costs far less than fixing it after an incident or audit.
Risk Assessment Documentation Requirements
OCR expects specific elements in every risk assessment. Missing any of these during an investigation can result in a finding that no adequate risk analysis was conducted.
| Required Element | CFR Reference | What OCR Looks For |
|---|---|---|
| ePHI inventory | 164.308(a)(1)(ii)(A) | Documented list of all systems, applications, and locations where ePHI is created, received, maintained, or transmitted |
| Threat identification | 164.308(a)(1)(ii)(A) | Catalog of reasonably anticipated threats (natural, human, environmental) to each ePHI location |
| Vulnerability assessment | 164.308(a)(1)(ii)(A) | Analysis of current safeguard effectiveness against each identified threat |
| Likelihood and impact ratings | 164.308(a)(1)(ii)(A) | Quantitative or qualitative scoring of risk probability and potential harm |
| Risk level determination | 164.308(a)(1)(ii)(A) | Combined risk score for each threat-vulnerability pair with prioritization |
| Remediation plan | 164.308(a)(1)(ii)(B) | Documented action items, responsible parties, and target completion dates for each identified risk |
| Review and update schedule | 164.308(a)(8) | Evidence of periodic review and updates when operational or environmental changes occur |
Key stat: Under 45 CFR 164.308(a)(1)(ii)(A), the HIPAA Security Rule requires an accurate and thorough risk assessment of potential threats and vulnerabilities to ePHI. The failure to conduct a risk assessment is the single most-cited finding in OCR enforcement actions, appearing in over 80% of resolution agreements since 2016.