How often do I need to do a HIPAA risk assessment?

HIPAA requires risk assessments to be conducted at least annually, or whenever there are significant changes to your practice, systems, or operations. Many practices conduct them quarterly for better protection.

What should be included in a HIPAA risk assessment?

A risk assessment should include: (1) Inventory of all ePHI locations, (2) Identification of threats and vulnerabilities, (3) Assessment of current safeguards, (4) Risk level calculations, (5) Remediation plans, and (6) Documentation of findings.

Can I do a HIPAA risk assessment myself?

Yes, small practices can conduct risk assessments themselves using tools and templates. However, using automated risk assessment software like HIPAA Hub makes it easier and ensures completeness.

HIPAA Risk Assessment: Complete Guide for Healthcare Providers

A risk assessment is required. Here's how to do it right.

This complete guide covers everything you need to know about conducting a HIPAA Security Risk Analysis.

What is a HIPAA Risk Assessment?

A HIPAA Security Risk Analysis (SRA) is a required evaluation of potential risks and vulnerabilities to electronic Protected Health Information (ePHI).

Key points:

Required by HIPAA Security Rule
Must be conducted annually (or when systems change)
Must be documented
Must identify threats, vulnerabilities, and risks
Must include remediation plans

What it's not:

Not a one-time activity
Not optional
Not just a checklist
Not a policy document

Why is a Risk Assessment Required?

HIPAA requires risk assessments because:

Identifies security gaps
Helps prioritize remediation
Demonstrates due diligence
Required for audits
Reduces breach risk

What happens if you don't do one?

OCR fines ($10,000-$50,000)
Failed audits
Increased breach risk
Legal liability

The Risk Assessment Process

Step 1: Identify All ePHI Locations

Document where ePHI is:

Stored (EHR systems, servers, cloud storage)
Transmitted (email, file transfers, APIs)
Accessed (workstations, mobile devices, remote access)
Backed up (backup systems, off-site storage)

Inventory checklist:

EHR system
Email systems
Cloud storage (Dropbox, Google Drive, etc.)
Servers
Workstations
Mobile devices (laptops, tablets, phones)
Backup systems
Third-party systems (billing, scheduling)
Remote access systems
Network infrastructure

Step 2: Identify Threats and Vulnerabilities

Common threats:

Hacking and cyberattacks
Malware and ransomware
Theft of devices
Unauthorized access
Human error
Natural disasters
System failures

Common vulnerabilities:

Unencrypted devices
Weak passwords
Outdated software
Missing security patches
Unsecured networks
Lack of access controls
Insufficient training
Missing policies

Step 3: Assess Current Security Measures

Evaluate existing safeguards:

Administrative:

Security policies in place
Security Officer designated
Staff training conducted
Access controls implemented
Incident response plan

Physical:

Facility access controls
Workstation security
Device encryption
Media controls

Technical:

Access controls (unique user IDs)
Audit logging enabled
Encryption in transit
Encryption at rest
Automatic logoff

Step 4: Determine Likelihood and Impact

For each identified risk:

Likelihood:

High: Very likely to occur
Medium: Somewhat likely to occur
Low: Unlikely to occur

Impact:

High: Severe consequences (large breach, major fines)
Medium: Moderate consequences (small breach, moderate fines)
Low: Minor consequences (minimal impact)

Step 5: Calculate Risk Levels

Risk Level = Likelihood × Impact

Risk matrix:

Critical: High likelihood + High impact
High: Medium-High likelihood + Medium-High impact
Medium: Low-Medium likelihood + Low-Medium impact
Low: Low likelihood + Low impact

Prioritize remediation:

Critical risks (address immediately)
High risks (address within 30 days)
Medium risks (address within 90 days)
Low risks (address as resources allow)

Step 6: Document Findings

Risk assessment report must include:

Inventory of ePHI locations
Identified threats and vulnerabilities
Current security measures
Risk level calculations
Remediation plans
Implementation timeline
Responsible parties

Step 7: Create Remediation Plans

For each identified risk:

Remediation plan should include:

Specific remediation steps
Timeline for implementation
Responsible party
Estimated cost
Success criteria

Example:

Risk: Unencrypted laptops
Likelihood: High
Impact: High
Risk Level: Critical

Remediation:
1. Enable BitLocker on all Windows laptops (Week 1)
2. Enable FileVault on all Mac laptops (Week 1)
3. Document encryption status (Week 2)
4. Train staff on encryption (Week 2)
5. Verify encryption enabled (Week 3)

Responsible: IT Manager
Cost: $0 (built-in encryption)
Timeline: 3 weeks

Step 8: Implement Controls

Implementation priority:

Critical risks (immediate)
High risks (30 days)
Medium risks (90 days)
Low risks (ongoing)

Document all implementations:

What was implemented
When it was implemented
Who implemented it
Evidence of implementation

Step 9: Review and Update

Review schedule:

Annually: Full risk assessment
Quarterly: Review high-priority risks
When systems change: New risk assessment
After incidents: Update risk assessment

Risk Assessment Tools

Option 1: Manual Assessment

Process:

Use checklist or template
Document in spreadsheet or document
Calculate risks manually
Create remediation plans

Pros:

Free
Full control

Cons:

Time-consuming (20-40 hours)
Easy to miss items
Difficult to maintain

Option 2: Automated Tool (HIPAA Hub)

Process:

Answer 150+ questions
System calculates risks
Auto-generates remediation plans
Maintains documentation

Pros:

Fast (2-4 hours)
Comprehensive
Easy to maintain
OCR-aligned

Cons:

Cost ($499/year)

ROI: Saves 20-30 hours, ensures completeness

Documentation Requirements

What to Document

Required documentation:

Risk assessment report - Complete findings
Remediation plans - For each risk
Implementation evidence - Proof of controls
Review dates - When assessments conducted
Updates - When risks change

Documentation Format

Risk assessment report should include:

Executive summary
Methodology
ePHI inventory
Threat and vulnerability analysis
Current safeguards assessment
Risk calculations
Remediation plans
Implementation timeline
Appendices (evidence, policies, etc.)

Common Mistakes to Avoid

Mistake 1: Not Documenting

Problem: Conducting assessment but not documenting

Solution: Document everything, maintain for 6 years

Mistake 2: Not Prioritizing

Problem: Trying to fix everything at once

Solution: Prioritize by risk level, start with critical

Mistake 3: Not Updating

Problem: Conducting assessment once and never updating

Solution: Review annually, update when systems change

Mistake 4: Not Implementing

Problem: Identifying risks but not fixing them

Solution: Create remediation plans, implement systematically

How HIPAA Hub Helps

HIPAA Hub automates risk assessment:

✅ 150+ OCR-aligned questions
✅ Automated risk calculations
✅ Auto-generated remediation plans
✅ Documentation maintained
✅ Annual reminders
✅ Easy updates

Time saved: 20-30 hours per assessment

Next Steps

Understand the requirements - Review this guide
Choose your approach - Manual or automated
Conduct assessment - Follow the process
Document findings - Create report
Implement remediation - Fix identified risks
Review annually - Keep current

This guide is based on HIPAA Security Rule requirements and OCR guidance. For automated risk assessment, consider using HIPAA Hub.

HIPAA Risk Assessment: Complete Guide for Healthcare Providers

HIPAA Risk Assessment: Complete Guide for Healthcare Providers

What is a HIPAA Risk Assessment?

Why is a Risk Assessment Required?

The Risk Assessment Process

Step 1: Identify All ePHI Locations

Step 2: Identify Threats and Vulnerabilities

Step 3: Assess Current Security Measures

Step 4: Determine Likelihood and Impact

Step 5: Calculate Risk Levels

Step 6: Document Findings

Step 7: Create Remediation Plans

Step 8: Implement Controls

Step 9: Review and Update

Risk Assessment Tools

Option 1: Manual Assessment

Option 2: Automated Tool (HIPAA Hub)

Documentation Requirements

What to Document

Documentation Format

Common Mistakes to Avoid

Mistake 1: Not Documenting

Mistake 2: Not Prioritizing

Mistake 3: Not Updating

Mistake 4: Not Implementing

How HIPAA Hub Helps

Next Steps

Related Resources