How to Conduct a HIPAA Risk Assessment

HIPAA Risk review: Step-by-Step Process

A HIPAA risk review is the most important step in any healthcare rule-keeping program. The Office for Civil Rights (OCR) tracks HIPAA enforcement actions closely. Failure to run a full, practice-wide risk analysis is the most common finding they cite.

This guide gives you a practical, step-by-step process for a HIPAA security risk analysis (SRA). It covers every phase — from scoping through fixes and ongoing management. Use it whether this is your first review or an upgrade to an existing one.

Understanding the SRA rule

rule-based Foundation

The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) sets a clear rule. Covered groups and business associates must "conduct an accurate and thorough review of the possible risks and weak spots to the data privacy, accuracy, and access of digital health data." This is a required spec — there is no alternative.

The rule does not name a specific method or tool. Practices can choose an approach that fits their size and setup. But OCR has published clear guidance on what makes a solid risk analysis, and enforcement actions show what level of depth they expect.

Key rule-based Expectations

OCR expects a risk analysis to be:.

• complete — Covering all ePHI across the entire practice, not just selected systems or departments.
• Thorough — Identifying all reasonably anticipated threats and weak points.
• Accurate — Based on current conditions, not outdated assumptions or generic templates.
• Documented — Producing written records that show the process and findings.
• Ongoing — Updated regularly and whenever major changes occur.

A checklist or short questionnaire does not meet these rules. The risk review must be a real analysis. It must check specific threats to specific assets in your actual setting.

Step 1: Define Scope and Assemble Your Team

Scoping the review

The scope must cover all ePHI your practice creates, receives, maintains, or transmits. This applies no matter what of medium, location, or system. It includes:.

• On-premises systems — Servers, workstations, medical devices, and network systems.
• Cloud settings — Hosted apps, cloud storage, SaaS platforms, and hosted systems.
• Remote and mobile — Laptops, tablets, smartphones, home offices, and telehealth platforms.
• Third-party systems — Business associate settings that store or process your ePHI.
• Paper-to-digital transitions — Scanning systems, fax servers, and digital record management.

A common mistake is limiting scope to the primary EHR system. Secondary systems also hold ePHI. These include email, messaging platforms, billing software, and legacy apps.

Assembling the Team

Effective risk reviews need input from many people:.

• Security officer — Leads the review and coordinates actions.
• IT staff — Provides tech knowledge of systems, networks, and security controls.
• Clinical staff — Identifies workflows involving ePHI and clinical system usage.
• admin staff — Covers billing, scheduling, and day-to-day steps.
• Compliance officer — Makes sure rule-based rules are handled.
• Facilities management — Addresses physical security factors.
• Privacy officer — Provides insight on Privacy Rule implications.

In small habits, some of these roles may overlap. The key is covering tech, day-to-day, and clinical viewpoints. External consultants can fill gaps, especially for a first full review.

Step 2: Inventory ePHI Assets

Creating the Asset Inventory

A complete ePHI asset list is the foundation of the risk review. For each asset, record:.

• Asset name and description — What the system or device is and what it does.
• Location — Physical and logical location (building, room, network segment, cloud region).
• ePHI types — What categories of health data the asset stores, steps, or transmits.
• Data volume — About how many patient records or how much ePHI the asset holds.
• Users — Who accesses the system and their roles.
• Owner — The person or department responsible for the asset.
• Criticality — How important the asset is to operations and patient care.

Common Asset Categories

Group your list into these categories:.

• Applications — EHR, practice management, billing, lab systems, imaging, telehealth platforms, patient portals.
• systems — Servers, databases, network devices, firewalls, wireless access points.
• Endpoints — Workstations, laptops, tablets, mobile devices, medical devices with ePHI.
• Storage — File servers, network-attached storage, cloud storage, backup media, removable drives.
• Communication — Email systems, fax servers, secure messaging, VoIP, video conferencing.
• Physical — Server rooms, data closets, file cabinets containing digital media, workstation locations.

Document how ePHI moves between these assets. Data flow diagrams help you find transfer paths that need data scrambling. They also show access points that need login checks.

Step 3: Identify Threats

Threat Categories

A threat is any event or action that could exploit a weak point and harm ePHI. Group threats into these categories:.

Natural threats:.

• Floods, earthquakes, hurricanes, tornadoes.
• Power outages from severe weather.
• Fire (natural or accidental).

Human threats — intentional:.

• External cyberattacks (ransomware, phishing, malware, denial-of-service).
• Insider threats from disgruntled employees.
• Social engineering attacks.
• Theft of devices or media.
• Unauthorized physical access.

Human threats — unintentional:.

• Accidental data exposure through misconfigured systems.
• Misdirected emails or faxes containing ePHI.
• Improper disposal of devices or media.
• Failure to follow security steps.
• Lost devices.

Environmental and tech threats:.

• Hardware failures.
• Software bugs and weak points.
• Network outages.
• Power surges or electrical failures.
• HVAC failures affecting server settings.

Documenting Threats

For each threat, record:.

• Threat source — Who or what could cause the threat event.
• Threat action — How the threat event would unfold.
• Affected assets — Which ePHI assets could be impacted.
• Historical data — Whether your practice or similar ones have faced this threat before.
• Threat likelihood — An early estimate of how likely the threat is to occur (refined in later steps).

Use industry sources to inform your threat list. These include the HHS Breach Portal, FBI Internet Crime Reports, and healthcare-specific threat intelligence. Pay special attention to threats that have hit similar habits in your region and sector.

Step 4: Identify weak spots

What counts as a weak spot

A weak spot is a weak point in a system, process, policy, or control. A threat can exploit it to harm ePHI. Weak points exist at every level of a practice.

Technical weak points:.

• Unpatched software and operating systems.
• Weak or default passwords.
• Missing or misconfigured data scrambling.
• Inadequate access controls.
• Open network ports and unnecessary services.
• Lack of multi-factor login checks.
• Missing or inadequate audit logging.

admin weak points:.

• Absent or outdated security policies.
• Inadequate team training.
• No incident response plan.
• Incomplete business associate agreements.
• Lack of written down steps.
• No regular security reviews.

Physical weak points:.

• Unsecured server rooms or data closets.
• Missing visitor controls.
• Inadequate surveillance.
• Unlocked workstations in public areas.
• Missing disposal steps for media and devices.

weak spot review Methods

Use multiple methods to find weak points:.

• Technical scanning — Automated scanners, penetration testing, and network reviews.
• Policy review — Compare existing policies against Security Rule rules and industry frameworks.
• Interviews — Speak with staff about actual habits, workarounds, and observed security gaps.
• Physical walkthroughs — Inspect facilities for physical security weak points.
• Audit log review — Examine system logs for evidence of unapproved access or anomalies.
• Prior reviews — Review findings from previous risk reviews, audits, and incident reports.

Step 5: Assess Current Controls

Mapping Controls to Risks

For each threat-weak spot pair, record the security controls you have in place now. Controls fall into three categories:.

• Preventive controls — Measures that stop threats from exploiting weak points (firewalls, access controls, data scrambling, training).
• Detective controls — Measures that catch when a threat has exploited a weak point (audit logs, intrusion detection, tracking).
• Corrective controls — Measures that respond to and recover from security incidents (incident response plans, backup systems, disaster recovery).

Evaluating Control Effectiveness

Rate each control honestly:.

• Fully effective — The control is properly set up, regularly kept, and tested.
• Partially effective — The control exists but has gaps in setup, coverage, or upkeep.
• Not effective — The control exists on paper only, is severely outdated, or is not functioning.
• Absent — No control exists for this risk.

Be honest in this check. Overrating control results undermines the entire risk analysis. It creates a false sense of security. Focus on how controls actually work in practice, not how they look on paper.

Step 6: Determine Risk Levels

Risk Scoring method

Risk combines threat likelihood and impact severity. For each threat-weak spot-asset combination, assess both factors.

Likelihood levels:.

Level	Description
High	The threat source is highly motivated and capable; controls are ineffective or absent.
Medium	The threat source is motivated and capable, but controls may impede exploitation.
Low	The threat source lacks motivation or skill, or strong controls are in place.

Impact levels:.

Level	Description
High	Exploitation could result in major harm — large-scale breach, major financial loss, harm to patients, loss of key systems.
Medium	Exploitation could result in moderate harm — limited breach, moderate financial impact, temporary system disruption.
Low	Exploitation could result in minor harm — minimal data exposure, negligible financial impact, brief disruption.

Calculating Overall Risk

Combine likelihood and impact to get an overall risk level:.

	Low Impact	Medium Impact	High Impact
High Likelihood	Medium	High	Critical
Medium Likelihood	Low	Medium	High
Low Likelihood	Low	Low	Medium

Document the reason for each risk rating. Regulators and auditors want to understand why you chose a rating. Include specific evidence from your threat and weak spot work that supports each rating.

Step 7: Develop the fixes Plan

Prioritizing Risks

You cannot fix all risks at once. Prioritize your fixes based on risk level:.

1. Critical risks — Address right away. These carry the highest chance of a major breach.
2. High risks — Address within 30-90 days. These represent substantial exposure.
3. Medium risks — Address within 6-12 months as part of planned security improvements.
4. Low risks — Monitor and address during regular upkeep cycles, or accept with written records.

Creating Actionable fixes Items

For each risk that needs a fix, record:.

• Risk description — What the specific risk is.
• Current risk level — The assessed risk rating.
• fixes action — The specific measure to put in place.
• Target risk level — The expected risk rating after the fix.
• Responsible party — Who is accountable for getting it done.
• Target completion date — When the fix must be finished.
• Resource rules — Budget, staff, and technology needed.
• Status tracking — A tool for tracking progress.

Risk Response Options

For each identified risk, habits have four response options:.

• reduce — Put controls in place to reduce the risk to an acceptable level.
• Transfer — Shift the risk to another party (e.g., cyber insurance, outsourcing to a qualified vendor).
• Accept — Acknowledge the risk and record the decision not to act further. Only right for low risks with written down justification.
• Avoid — Remove the risk by eliminating the action, system, or process that creates it.

Most risks in a healthcare setting require reduction. Use risk acceptance sparingly. It always requires management approval and written written records.

Step 8: Document Everything

Required written records

The risk review must produce full written written records including:.

• Scope statement — What was assessed, including all systems, locations, and ePHI types.
• method description — How the review was ran, including tools and frameworks used.
• Asset list — A complete list of ePHI assets with classifications.
• Threat analysis — Identified threats with likelihood ratings and supporting evidence.
• weak spot analysis — Identified weak points with review method and evidence.
• Control review — Current controls mapped to risks with results ratings.
• Risk register — All identified risks with likelihood, impact, and overall risk ratings.
• fixes plan — ranked actions with responsible parties, timelines, and resource rules.
• Management sign-off — Executive acknowledgment and approval of the findings and fixes plan.

Retention and upkeep

Keep all risk review written records for at least six years as required by the Security Rule. Store written records securely. Use version control to track changes over time. Do not discard previous risk reviews — they provide valuable historical context. They also show your practice's ongoing commitment to security improvement.

Ongoing Risk Management

Annual Reassessment

Run a full risk review at least annually. Between full reviews, update your risk analysis whenever:.

• New systems or technology are put in place.
• major day-to-day changes occur.
• Security incidents or breaches are identified.
• New threats emerge in the healthcare sector.
• rule-based rules change.
• Business associate relationships change materially.

Integrating Risk review Into Operations

The risk review should not be a standalone rule-keeping exercise. It should drive security decisions across your entire practice. Use risk review findings to inform:.

• Budget planning — Use risk priorities to justify and allocate security spending.
• Vendor management — Use risk findings to check and track business associates.
• Training programs — Target training topics based on identified team-related risks.
• Policy development — Update policies to address newly identified weak points.
• Incident response — Use threat analysis to inform incident response planning and tabletop exercises.
• Board reporting — Communicate risk posture and fix progress to team-level leadership.

Practices that treat risk review as a living process build stronger security programs. They also show the proactive rule-keeping that regulators recognize and respect.

Risk review FAQ

How long does a HIPAA risk review take?

The timeline varies based on size and complexity. A small practice may finish a thorough risk review in 2-4 weeks. A large health system with multiple locations may need 2-4 months. Thoroughness matters more than speed. Rushing to meet a deadline undermines the value of the review and may not satisfy OCR expectations.

Can we use a template or tool for our risk review?

Yes, and many habits find tools helpful for structuring the process. HHS offers a free Security Risk review (SRA) Tool designed for small and medium habits. Commercial tools and frameworks such as NIST Cybersecurity Framework and HITRUST CSF provide more full skills. However, no tool replaces the need for knowledgeable assessors. A tool-generated review without expert analysis and customization is unlikely to satisfy OCR expectations.

What is the difference between a risk review and a gap analysis?

A risk review evaluates the likelihood and impact of threats exploiting weak points to harm ePHI. It produces risk ratings and a ranked fix plan. A gap analysis compares current habits against a set of rules — such as the Security Rule standards — to find what is missing. The Security Rule namely requires a risk analysis. A gap analysis may inform the risk review but does not replace it. Our HIPAA rule-keeping checklist provides a practical gap analysis starting point.

Do business associates need to conduct their own risk reviews?

Yes. Business associates are independently responsible for running their own risk reviews. These must cover the ePHI they create, receive, keep, or transmit. The covered group's risk review does not cover the business associate's setting. Covered groups should verify that their business associates run regular risk reviews as part of ongoing BAA rule-keeping tracking.

What are the consequences of not running a risk review?

Failure to conduct a risk analysis is the most frequently cited finding in OCR enforcement actions. Penalties for this gap alone have ranged from tens of thousands to millions of dollars. Without a risk review, a practice has no real understanding of its security posture. That makes effective protection of ePHI essentially impossible. Review the HIPAA rule-keeping guide for a broader discussion of enforcement trends and penalties.

Risk review Takeaways

A thorough HIPAA risk review is the foundation for every other rule-keeping action. Without knowing where ePHI exists, what threatens it, and how well your controls work, you cannot make informed decisions. Security spending, policy development, and incident response all depend on this knowledge.

The step-by-step process here — from scoping and asset list through threat finding, weak spot analysis, risk scoring, and fix planning — gives you a repeatable method. It meets rule-based expectations and genuinely improves your security posture. Practices that run honest, thorough risk reviews and act on their findings avoid breaches, satisfy regulators, and earn patient trust.

One Guy Consulting helps healthcare habits conduct full HIPAA risk reviews that satisfy rule-based rules and produce actionable results. From initial scoping through final written records, our team brings the expertise and practical tools needed to identify your risks and build an effective fix program. Contact us to start your risk review or to strengthen an existing process with proven method and expert guidance. Start your security risk assessment

Related: What a security risk assessment is