The HIPAA Risk Assessment Is the First Thing OCR Looks For
When the Office for Civil Rights investigates a HIPAA breach or complaint, the first document they request is your Security Risk Assessment. Not your policies. Not your training logs. Your risk assessment. If you cannot produce one - or if yours is outdated, incomplete, or clearly copied from a generic template - that alone can trigger a finding.
Yet the risk assessment is one of the most commonly skipped requirements in healthcare. Many small practices either never complete one, or they download a free template, fill in a few fields, and call it done. That approach almost never holds up. OCR expects a documented, practice-specific analysis that covers every system, every threat, every vulnerability, and every remediation action. A three-page checklist will not satisfy that standard.
This guide walks through what a HIPAA risk assessment actually covers, how to think about the process, and where most DIY approaches fall apart. If you are looking for a free starting point, this article will show you the full scope of what is involved. If you realize the process is more involved than expected, the OGC Security Risk Assessment service is built for exactly that situation.
What Is a HIPAA Risk Assessment
A HIPAA risk assessment is a formal process for identifying, analyzing, and documenting the risks to electronic protected health information (ePHI) in your organization. It is not a one-time audit. It is an ongoing management activity that forms the foundation of your entire HIPAA Security Rule compliance program.
The legal basis comes from the HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A). That regulation requires covered entities and business associates to:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
- Document the assessment in writing
- Implement security measures to reduce risks to a reasonable and appropriate level
- Maintain documentation of the assessment and any security measures implemented
The regulation does not prescribe a specific format or methodology. That flexibility is intentional - a solo dental practice has different risks than a 200-person behavioral health group. But the flexibility is not a free pass. OCR has published detailed guidance on what a compliant risk assessment looks like, and they hold organizations to that standard regardless of size.
Understanding the Security Rule itself helps put the risk assessment in context. The HIPAA Security Rule compliance guide covers the full framework - administrative, physical, and technical safeguards - and the risk assessment is the process that tells you which safeguards your organization actually needs.
What a Risk Assessment Must Include
HHS has published guidance stating that a compliant risk assessment must address several specific areas. Each area below is a required component, not optional. If your current risk assessment is missing any of these, it is incomplete by federal standards.
Asset Inventory
You cannot assess risk to ePHI if you do not know where ePHI lives. The first component is a complete inventory of every system, device, application, and location that creates, receives, maintains, or transmits ePHI.
This includes obvious systems like your EHR and practice management software. It also includes less obvious ones: fax machines that receive referrals, laptops used for telehealth, smartphones used for appointment reminders, cloud storage used for billing documents, and any portable devices like tablets or external hard drives.
For each asset, you document what ePHI it holds, who has access, how it connects to other systems, and what controls are currently in place. Most practices are surprised by how many systems show up on this list once they work through it systematically.
Threat Identification
A threat is any event or circumstance that could cause harm to your ePHI. Threats can be human or environmental, intentional or accidental.
Common threats in healthcare include:
- Ransomware and malware attacks
- Phishing and social engineering targeting staff
- Unauthorized access by workforce members
- Theft of laptops, phones, or storage media
- Vendor or business associate breaches
- Natural disasters affecting server rooms or filing systems
- Power outages causing data loss
- Accidental disclosure by staff (wrong fax number, misdirected email)
- System misconfigurations that expose data
Your threat list should be specific to your environment. A practice in a flood zone has different physical threats than one in a high-rise. A practice using cloud-based EHR has different technical threats than one running on-premises servers.
Vulnerability Assessment
A vulnerability is a weakness in your systems, processes, or controls that a threat could exploit. Identifying threats tells you what could go wrong. Identifying vulnerabilities tells you how it could happen.
Examples of vulnerabilities include outdated software with unpatched security flaws, weak password policies, lack of multi-factor authentication, unencrypted laptops, inadequate workforce training, missing Business Associate Agreements, and physical access controls that are not enforced.
The vulnerability assessment looks at each asset and threat combination and asks: what weaknesses exist that could allow this threat to succeed? This is where encryption requirements become relevant - an unencrypted device is a vulnerability that makes the threat of theft significantly worse.
Current Controls
Before you can determine how risky a situation is, you need to document what controls you already have in place. Current controls include both technical controls (firewalls, encryption, access logging) and administrative controls (policies, training programs, workforce agreements) and physical controls (door locks, visitor logs, workstation positioning).
This component gives you a realistic picture of your starting point. It also feeds directly into the next step - because the effectiveness of your current controls affects how likely a threat is to succeed.
Likelihood and Impact Rating
For each threat-vulnerability pair, you assign two ratings: likelihood and impact.
Likelihood is the probability that a given threat will successfully exploit a vulnerability, given your current controls. The HHS guidance suggests rating likelihood as high, medium, or low - though many organizations use numerical scales (1-5 or 1-10) to make the analysis more precise.
Impact is the magnitude of harm that would result if the threat succeeded. Impact considers the sensitivity of the ePHI involved, the number of records at risk, the potential for patient harm, the financial and reputational consequences, and the operational disruption that would follow.
These ratings are judgment calls, but they need to be documented with reasoning. You cannot simply assign "low" to everything to avoid follow-up work. OCR looks for evidence that the analysis was genuine and specific to your organization.
Risk Level Determination
Once you have likelihood and impact ratings, you combine them to determine an overall risk level for each threat-vulnerability pair. Most frameworks use a risk matrix where high likelihood combined with high impact produces a critical or high risk, while low likelihood combined with low impact produces a low risk.
The risk level drives prioritization. You use it to decide where to focus remediation efforts first. A critical risk needs immediate attention. A low risk may be acceptable to monitor without immediate action, as long as you document that decision.
Remediation Plan
The risk assessment is not complete when you finish the analysis. The final required component is a remediation plan - documented actions you will take to reduce unacceptable risks to a reasonable level.
For each risk rated medium or higher, you document: the control you will implement, who is responsible, the target completion date, and the expected residual risk after the control is in place. This plan becomes a living document that you update as controls are implemented and new risks emerge.
Most free templates stop at the risk rating step. The remediation plan is where the real compliance work happens - and where documentation gaps most often appear during OCR investigations.
A Step-by-Step Framework
The HHS guidance for HIPAA risk assessments aligns closely with the NIST Special Publication 800-30 framework for information security risk assessments. Below is a nine-step process drawn from both sources. This is not a template you fill out - it is a description of what each step involves so you understand the full scope before choosing how to proceed.
Step 1 - Define the scope. Identify all organizational units, locations, and systems that handle ePHI. Document what is in scope and what is out of scope, with justification for any exclusions. A single-location practice may include every system. A multi-site organization may scope by location or department.
Step 2 - Collect data. Gather documentation on all in-scope systems. This includes network diagrams, vendor contracts, data flow diagrams, existing policies, prior audit results, and any available system logs. The goal is to build an accurate picture of your current environment before you start analyzing it.
Step 3 - Identify and document ePHI. For each system and location in scope, document what ePHI is created, received, maintained, or transmitted. Include the format (electronic, paper, verbal), the volume, the sensitivity level, and the flow of information between systems.
Step 4 - Identify threats. Using your asset inventory and ePHI documentation, identify all realistic threats to each asset. Reference threat catalogs from NIST, HHS, and industry sources. Supplement with your own knowledge of your environment, geographic risks, and workforce risks.
Step 5 - Identify vulnerabilities. For each threat, identify what weaknesses in your systems or controls could allow that threat to succeed. Cross-reference vulnerability databases (like NIST NVD) for technical vulnerabilities. Assess administrative and physical vulnerabilities through policy review and site observation.
Step 6 - Assess current controls. Document all existing technical, administrative, and physical safeguards. Evaluate whether each control is fully implemented, partially implemented, or planned. A control that exists on paper but is not enforced does not reduce risk in practice.
Step 7 - Determine likelihood and impact. For each threat-vulnerability pair, rate likelihood and impact using your chosen scale. Document the reasoning for each rating. Ratings without reasoning will not hold up under scrutiny.
Step 8 - Determine risk levels. Apply your risk matrix to combine likelihood and impact into a risk level for each threat-vulnerability pair. Produce a prioritized list of risks from highest to lowest.
Step 9 - Document and implement remediation. For each identified risk, document whether you will mitigate it (implement a new control), transfer it (shift responsibility to a vendor or insurer), accept it (formally acknowledge the risk as acceptable), or avoid it (change the process to eliminate the risk). For mitigation actions, document the responsible party, timeline, and expected residual risk.
This nine-step process is a significant undertaking. For a solo practice with a simple technology environment, it might take 8-12 hours of focused work. For a group practice or multi-site organization, it can take weeks. The detailed guide on conducting a HIPAA risk assessment covers each step in depth with practical examples.
Why Free Templates Often Fall Short
Free HIPAA risk assessment templates are widely available. HHS has published one. NIST has published guidance. Dozens of vendors offer downloadable spreadsheets and Word documents. The problem is not that these resources exist - it is how practices typically use them.
Generic templates are not tailored to your practice size or specialty. A pediatric practice in a solo office has fundamentally different risks than a behavioral health group with 15 clinicians. A template designed for general use cannot account for the specific systems you use, the specific threats relevant to your environment, or the specific patient population you serve. When you fill in a generic template, you are mapping your situation onto someone else's framework - and the gaps that result may be exactly what OCR finds.
Most templates treat the assessment as a one-time snapshot. They provide fields to fill in, but no mechanism for tracking remediation over time, no process for annual updates, and no structure for documenting changes to your environment that trigger a new assessment. The HIPAA Security Rule requires ongoing risk management, not a document you complete once and file away.
Free templates rarely include remediation tracking. The analysis portion of a risk assessment - identifying threats and rating likelihood - is only the first half of the requirement. The second half is documenting what you will do about each risk and following through. Many templates stop at the rating step and provide no structure for the remediation plan, assignment of responsibilities, or tracking of completion.
They will not hold up in an audit. When OCR reviews a risk assessment, they look for evidence of genuine analysis - not a filled-in form with identical ratings across all categories, or a document where the same generic threats are listed for every organization regardless of environment. A risk assessment that looks like a template rather than a real analysis signals that the organization went through the motions rather than doing the work.
Business associates and vendors are often missing. Most free templates focus on internal systems and overlook third-party risk. But your EHR vendor, billing company, IT managed service provider, and any other business associate that handles ePHI are all part of your risk surface. The most common HIPAA violations include inadequate vendor oversight - and a template that does not address business associate risk will miss this entirely.
The HIPAA compliance checklist is a useful reference for confirming which requirements you have addressed, but a checklist is not a substitute for a risk assessment. A checklist tells you whether something is done. A risk assessment tells you whether what you did is sufficient.
Common Risk Assessment Mistakes
Even organizations that complete a risk assessment often make mistakes that undermine its value for compliance purposes. These are the most common ones.
Treating It as a One-Time Task
HIPAA requires ongoing risk management, not a single assessment. The Security Rule explicitly requires periodic reassessment when environmental or operational changes occur. Completing an assessment in 2022 and never updating it does not satisfy the requirement in 2026.
Practices often complete their first risk assessment to satisfy an initial compliance audit and then never return to it. When a breach occurs two years later, the outdated assessment may actually work against them - showing that they identified risks but took no action to update controls as their environment changed.
Ignoring Physical Risks
The HIPAA Security Rule covers the confidentiality, integrity, and availability of ePHI. Physical risks - theft of devices, unauthorized physical access to server rooms, workstations visible to patients in waiting areas, paper records left unsecured - are all within scope.
Technology-focused organizations tend to produce excellent technical risk assessments and weak physical ones. A practice that has strong password policies and encrypted laptops but leaves a workstation visible from the waiting room has an incomplete risk picture. Physical safeguards are part of the Security Rule for a reason.
Skipping Business Associates
Your business associates are part of your risk surface. If your billing company is breached, your patients' ePHI is exposed - and you are responsible for ensuring that Business Associate Agreement is in place and that the vendor has adequate security controls.
A complete risk assessment includes a review of all business associate relationships: who they are, what ePHI they access, what BAAs are in place, and what controls they have implemented. Many practices have BAAs on file but have never evaluated whether the vendor's actual security posture matches what the agreement requires.
Not Documenting Remediation
Identifying risks is necessary but not sufficient. The remediation plan - with assigned responsibilities, timelines, and follow-up - is what transforms the assessment from a compliance exercise into actual risk reduction.
Organizations that complete thorough analysis and then fail to document remediation are in a difficult position if OCR investigates. They can show they knew about the risks. They cannot show they did anything about them. Understanding the potential HIPAA violations and penalties makes it clear why documented remediation matters: "we identified the risk but did not address it" is not a defense.
Using a Checklist Instead of an Analysis
A checklist confirms whether a control exists. An analysis evaluates whether the control is adequate given the specific risks in your environment. These are different activities.
A practice can answer "yes" to every item on a HIPAA compliance checklist and still have unacceptable risks if the controls in place are not sized appropriately for the threats they face. The risk assessment requires analysis - reasoning about likelihood and impact in the context of your specific environment - not just confirmation that certain policies exist.
How Often Should You Update Your Risk Assessment
The Security Rule requires that the risk assessment be reviewed and updated periodically. HHS guidance and OCR enforcement actions have established a few clear triggers for when an update is required.
At a minimum, annually. Even if nothing in your environment has changed, an annual review of your risk assessment is considered a best practice and is increasingly treated as a minimum expectation by OCR. The annual review confirms that your assessment reflects your current environment and that all remediation actions are on track.
After any significant change to your environment. This includes adding a new EHR or practice management system, migrating to cloud storage, adding a new location, bringing on a new business associate, implementing a new telehealth platform, or making any significant change to your network infrastructure. Each of these changes alters your risk surface and may introduce new threats or vulnerabilities not covered by your existing assessment.
After any security incident or breach. A breach is evidence that your existing controls were insufficient. After any security incident - whether it resulted in a reportable breach or not - you should revisit your risk assessment to identify what controls failed, what new risks were exposed, and what changes need to be made. Continuing to operate from a pre-breach risk assessment after a known incident is a compliance failure.
After a significant workforce change. Adding staff, experiencing significant turnover, or changing roles and access permissions can alter your risk profile. A workforce that has grown from 5 to 25 employees has different insider threat risks than the original small team.
The HIPAA compliance starter kit for small practices covers the minimum ongoing maintenance activities that practices need to sustain compliance after completing their initial assessments. Risk assessment updates are a core part of that maintenance cycle.
Budgeting for compliance includes accounting for risk assessment updates. The HIPAA compliance cost breakdown covers what practices typically spend on risk assessments - both DIY and professionally conducted - and how those costs compare to the cost of a breach or OCR fine.
Frequently Asked Questions
Is a HIPAA risk assessment the same as a HIPAA audit?
No. A risk assessment is a proactive, internal process you conduct to identify and address risks to ePHI. An audit is an external review - typically conducted by OCR, a compliance officer, or a third-party auditor - that evaluates whether your organization has met HIPAA requirements. Completing a risk assessment is one of the things an audit will verify. They are related but not the same activity.
Does a small practice really need a full risk assessment?
Yes. The HIPAA Security Rule applies to all covered entities regardless of size. The requirement is scaled - a smaller practice may have fewer assets and simpler workflows, which makes the assessment shorter - but the requirement to conduct, document, and act on a risk assessment is the same. OCR has fined solo practitioners and small group practices for failure to conduct a risk assessment. Size is not a defense.
Can I use the HHS Security Risk Assessment Tool?
The HHS SRA Tool is a legitimate starting point, and it is better than many free templates because it was designed specifically for HIPAA compliance. However, the tool produces output that still requires meaningful analysis - you cannot simply click through the questions without substantive reasoning about your specific environment. The tool also requires you to supply the remediation tracking on top of what it generates. For small and medium practices, it can work if you invest the necessary time. For more complex environments, professional assistance typically produces a more defensible result.
What happens if I do not have a risk assessment and get audited?
Failure to conduct a risk assessment is a direct violation of 45 CFR 164.308(a)(1)(ii)(A). In every reported OCR settlement involving a missing or inadequate risk assessment, the organization paid a penalty. The fines have ranged from tens of thousands of dollars for small practices to millions for larger organizations. Beyond the financial penalty, OCR typically requires the organization to enter a corrective action plan - a multi-year compliance program with ongoing monitoring and reporting requirements.
How is a risk assessment different from a gap analysis?
A gap analysis compares your current compliance posture against the full HIPAA Security Rule requirements and identifies where you fall short. A risk assessment focuses specifically on threats and vulnerabilities to ePHI and the controls needed to address them. In practice, these activities overlap significantly - a thorough risk assessment will surface many of the same gaps a gap analysis would identify. The OGC Security Risk Assessment integrates both approaches: it produces a compliant risk assessment and identifies your compliance gaps in a single engagement.
The Bottom Line on Risk Assessment Templates
A HIPAA risk assessment template can help you understand the structure of the process. This guide has walked through what a compliant assessment covers - from asset inventory through remediation planning - and described the nine steps involved in conducting a thorough analysis.
But understanding the structure and completing a compliant assessment are different things. The analysis work - making genuine, documented judgments about likelihood and impact in the context of your specific environment, identifying vulnerabilities in your actual systems, and tracking remediation over time - cannot be done by filling in a form. It requires attention, knowledge of your environment, and a clear understanding of what OCR expects to see.
Most practices that try to handle their risk assessment with a free template end up with a document that documents their effort more than their actual risk. It may satisfy an internal checkbox. It will not satisfy OCR.
If you are ready to complete a risk assessment that will hold up - one that covers all required components, is specific to your practice, and includes a documented remediation plan - the OGC Security Risk Assessment service is built for that. It is a professional, structured engagement that produces the documentation OCR expects and gives you a clear roadmap for closing your compliance gaps.
You can also review individual compliance services if you need help with specific components rather than a full assessment. And if you want to understand where your compliance program stands before committing to a full assessment, the HIPAA compliance checklist is a useful starting point for identifying obvious gaps.
The risk assessment is not optional. It is the foundation that every other HIPAA requirement builds on. Getting it right the first time - with the right level of documentation and analysis - is far less expensive than fixing it after an incident or audit.