How to Conduct a HIPAA Risk Assessment

A vital part of HIPAA risk assessments is evaluating an organization’s ability to keep and use protected health information (PHI) safely.

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule regulations, covered entities (primarily health plans and healthcare providers) must perform regular risk assessments to ensure compliance with administrative, physical and technical safeguards.

In fact, the Medicare and Medicaid EHR Incentive Programs mandate a risk analysis of each relevant EHR reporting period to find and fix any potential threats to patients’ PHI.

If covered entities do not fulfill these HIPAA compliance risk assessment requirements, the potential impact is highly detrimental. Providers who fail to complete the HIPAA Security Rule risk assessment will not receive EHR incentive payments, may negligently expose patients’ PHI in data breaches, and likely face distrust and attrition from patients and staff.

To help your practice avoid these issues and ensure complete compliance, we’ve consolidated HHS, CMS, NIST, and ONC recommendations to provide the following HIPAA risk assessment template. Use this template to plan and execute your future HIPAA risk assessments successfully.


Over 50% of Healthcare Providers in the U.S. Aren’t HIPAA Compliant…

…and likely don’t even know it. Identify compliance gaps in your organization right now with this checklist.



HIPAA Risk Analysis Template: 10 Steps to Success

Before diving into the template, it’s important to note that there is no cookie-cutter, one-size-fits-all, silver bullet approach to risk management and analysis. Carefully consider and customize it to your organization’s unique characteristics, functions, and environment.


1. Set scope: Note all places that e-PHI is stored, received, maintained, or transmitted.

2. Collect data: Gather the data from all e-PHI sources by reviewing projects and documentation, holding interviews, and/or other techniques.

3. Document, document, document: Identify and thoroughly capture all potential risks and vulnerabilities to your data, including human, natural, and environmental.

4. Evaluate current protocols: Assess the ability of your current security measures to  reduce risk to the confidentiality, availability, and integrity of e-PHI.

5. Calculate the probability of issues occurring: By determining the likelihood that the potential threats would happen, organizations fulfill the requirement of the HIPAA assessment to identify “reasonably anticipated” threats to protect against.


HIPAA risk assessments


6. Determine impact of threats occurring: Assess the magnitude of damage that each identified threat or vulnerability would generate.

7. Organize by risk level: Stratify all potential issues and occurrences using the information gathered and calculated in steps five and six.

8. Build and execute remediation or mitigation strategy: To get the most out of HIPAA risk assessments, create specific plans for removing or de-escalating potential issues. Prioritize implementation based on risk level found in step seven.

9. Just keep documenting: Though no specific format is required, documentation is perhaps the most crucial part of the process. If you do not document your findings and remediation or mitigation strategy, the HIPAA risk assessment will be insufficient and incomplete.

10. Establish an ongoing action plan: Stay on track with your compliance program and HIPAA requirements. Ongoing actions may include upgrades of system software, changes to storage methods, modified policies, additional staffing. Each initiative should have a clear goal, owner, and target completion date.


When your practice successfully identifies risk and shuts it down before it escalates, you are ensuring that your business and your patients stay as safe, protected, and healthy as possible.


HIPAA Security Rule Risk Assessment: Common Mistakes and Challenges

HIPAA Risk Analysis Template


As you determine how to fill out your organization’s HIPAA risk analysis template, there are a handful of pitfalls to be aware of and avoid.


1. Installing a certified EHR instead of performing a complete security risk analysis: This is not sufficient to comply with HIPAA and protect your organization from risk. All providers must conduct risk assessments to maintain compliance and receive EHR incentive payments.

2. Relying on your EHR vendor to satisfy privacy and security requirements: The EHR vendor may assist in optimizing privacy and security, but their products are not required to be compliant with HIPAA. That is the user’s responsibility.

3. Completing risk analysis only once: Under HIPAA, you must have an ongoing process of reviewing and modifying security measures.

4. Not considering all security areas in the assessment: It is critical to comprehensively evaluate various security areas during the examination, including physical (e.g., windows, alarms), administrative (e.g., training), technical (e.g., passwords, encryption), procedural (e.g., record retention), and organizational (e.g., vendor access management).

5. Failing to document: Thorough, detailed documentation is essential to risk assessments. Without it, the entire process will be disorganized, impossible to track, and unactionable.


Resources for Risk Analysis

HIPAA Security Rule risk assessment


As you work to improve your risk assessments, you may want to consider the following resources that organizations across the U.S. are using to support their processes:


1. HIPAA Compliance Checklist: This resource includes a high-level overview of every element of HIPAA, a breakdown of each pillar (including the Security Rule), case studies of HIPAA breaches, and much more.

2. Security Risk Assessment (SRA) Tool: Perfect for small or medium providers, this resource uses your inputs to generate a report which can be used to determine risks in policies, processes, systems, and methods. It also provides enhanced functionality to document how your organization is guarding (or plans to guard) against these risks.

3. HIPAA Security Guidance: These resources and tools help HIPAA-covered entities achieve safety without breaking the bank, navigate remote access to e-PHI, protect information on mobile devices, respond to ransomware threats, and more.


Complete a HIPAA Risk Assessment the Smarter Way

Despite the wide availability of supporting resources (including those linked above), most organizations will opt to partner with a security firm to execute their required assessments. Bringing in an external expert perspective ensures that your analysis is thorough, objective, efficient, and fully adherent to requirements.

At True North, we specialize in guiding providers to achieve full HIPAA compliance. Our high levels of security, robust backup technologies, and vast expertise in healthcare IT allow you to have peace of mind throughout the security assessment process and redirect your staff’s energy to other pressing priorities.

Book a free, 30-minute consultation to gather more information and learn what a partnership would look like.

Join Our Newsletter & Learn

Get our latest content delivered to your inbox.

Speak to an IT Expert

Book a Complimentary 30 Minute Consultation