How to Complete a HIPAA Security Risk Assessment for Your Solo Therapy Practice
How to complete the federally required HIPAA Security Risk Assessment for a solo therapy practice. What to evaluate and document.
The HIPAA Security Risk Assessment is the foundation of every compliant therapy practice, and it is the document OCR asks for first when investigating a complaint or conducting an audit. For solo therapists, completing one can feel overwhelming because most guidance is written for hospitals with dedicated IT departments. This guide walks through exactly what a solo or small group practice needs to assess, what the results should look like, and how to keep the documentation in a form that will hold up under regulatory scrutiny.
What the Law Actually Requires
The HIPAA Security Rule, at 45 CFR 164.308(a)(1), requires every covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). This is not optional and there is no size exemption. A solo therapist operating out of a home office has the same Risk Assessment requirement as a 50-physician group practice.
The requirement has three components: identifying where ePHI exists in your environment, identifying the risks and vulnerabilities to that information, and assessing the likelihood and potential impact of those risks being exploited.
Before You Start: Map Where Your ePHI Lives
The first step is understanding what you are assessing. ePHI is any protected health information that is created, received, maintained, or transmitted in electronic form. For a typical solo therapy practice, this includes your EHR system (session notes, diagnoses, treatment plans, billing information) and every device used to access it. Your telehealth platform and the video sessions conducted through it. Email if you ever send or receive any patient information this way. Your scheduling software if it contains patient names and appointment details. Cloud storage (Google Drive, Dropbox, iCloud) if you store any patient-related documents there. Your phone if you have text message conversations with patients that include any health information.
Write these down. This list becomes the inventory that drives your entire Risk Assessment.
The Three Categories You Must Assess
Administrative Safeguards
Administrative safeguards are the policies and procedures that govern how you manage the security of ePHI. For a solo practice, the key areas to assess are who has access to patient information and why. If you have an administrative assistant, a billing service, or a supervisor who reviews your notes, you need to evaluate whether that access is appropriate and whether it is documented.
How you train yourself and any staff on security practices matters as well. Annual training is required, and it needs to be documented. Assess whether this is happening and whether you have records.
What your contingency plan is if systems become unavailable also requires assessment. If your EHR goes down, how do you continue providing care? If you experience a ransomware attack, what is your recovery process?
Physical Safeguards
Physical safeguards address how you control physical access to systems containing ePHI. For a private practice, this typically means your office: who has keys or access codes, whether you lock your computer when stepping away, whether patient records are visible to people in the waiting room.
Your devices are equally important: whether your laptop is encrypted, whether your phone has a passcode, what happens to devices when you replace them. Your paper records, if any exist, and how they are stored and eventually destroyed also fall under physical safeguards.
Technical Safeguards
Technical safeguards are the technology controls that protect ePHI. The key areas for solo practices include unique user identification: does every person who accesses patient data have their own login? Shared passwords are a violation that makes audit trails impossible.
Automatic logoff is another critical control: do your systems automatically log out after a period of inactivity? This matters especially for shared or semi-public spaces.
Encryption rounds out the core technical requirements: is data encrypted at rest (on your devices and storage) and in transit (when transmitted over the internet)? Most modern EHR systems handle encryption for their platform, but your local devices may not be encrypted by default.
Audit controls close the loop: can you access logs showing who has accessed patient data and when? Do you review those logs?
How to Score Your Risks
For each risk you identify, you need to assess two things: likelihood and impact. A simple approach uses a 1-to-3 scale.
Likelihood refers to how probable it is that this vulnerability would be exploited. A laptop without encryption left in a car has high likelihood of becoming a breach. An EHR system with strong access controls has low likelihood.
Impact asks: if this vulnerability were exploited, how serious would the consequences be? A breach exposing thousands of patient records has high impact. A single misdirected email with minimal PHI has lower impact.
Multiply likelihood by impact to get a risk score. High-scoring risks need mitigation actions. Document every identified risk, its score, and what you plan to do about it.
What Your Risk Assessment Document Should Contain
A Risk Assessment that will satisfy OCR scrutiny includes the date the assessment was conducted, the name of the person who conducted it (for solo practices, this is you), and the scope of the assessment covering what systems and processes were evaluated. It should also contain the inventory of ePHI showing where it exists in your environment, a list of identified risks with likelihood and impact ratings, your current controls for each risk, planned remediation actions for high risks, and the date by which you will review or update the assessment.
OCR has been explicit in enforcement actions that a Risk Assessment must be documented. A mental model of your risks that lives only in your head is not a Risk Assessment under HIPAA.
Common Mistakes Solo Therapists Make
Assessing only the EHR is perhaps the most common mistake. Many therapists assess their primary EHR system and stop there. Every system and device touching ePHI needs to be evaluated, including personal phones, email accounts, and telehealth platforms.
Doing it once and forgetting it is another common error. HIPAA requires the Risk Assessment to be reviewed and updated periodically. A common standard is annual review, plus review whenever your environment changes significantly.
Confusing a vendor's BAA with a Risk Assessment also trips up many practices. A BAA is a contract. A Risk Assessment is an evaluation. They are completely different documents serving completely different compliance functions.
Not documenting the remediation leaves half the requirement unfulfilled. Identifying risks without documenting your plan to address them is incomplete. OCR wants to see both the assessment and the risk management plan.
How Often to Update Your Risk Assessment
The Security Rule requires periodic review rather than specifying an exact frequency. Most compliance professionals interpret this as at minimum annually. In practice, you should also review your Risk Assessment whenever you adopt a new system that stores or transmits ePHI, change office locations, hire new staff who will access patient information, change EHR systems or telehealth platforms, or experience a security incident, even a minor one.
Simplifying the Process for Solo Practices
The Risk Assessment requirement intimidates many solo therapists because the official HIPAA guidance and most commercial tools are designed for large organizations. The substance of what a solo practice needs to assess, however, is genuinely manageable.
Your environment is limited: likely one EHR, one telehealth platform, one or two devices, and a small number of staff or none. A thorough Risk Assessment for a solo practice can realistically be completed in a few hours. The critical thing is that it produces a written document that captures what you found and what you intend to do about it.
HIPAA Hub includes a guided Risk Assessment Engine that walks solo practices through every required evaluation area, produces a scored report, and generates remediation action items automatically.
Using Your Risk Assessment Results
The Risk Assessment is not the end of the process. The risk management requirement in the Security Rule means you must take action on what you find. For each high-risk vulnerability, document what you are doing to reduce that risk to an acceptable level. This might mean encrypting your laptop, setting up automatic screen lock, switching to a HIPAA-compliant email provider, or signing a missing BAA.
Keep your Risk Assessment and your risk management actions together in the same location. When OCR requests your documentation, you want to be able to show both the assessment and the evidence that you acted on it.
Ready to complete your Risk Assessment? HIPAA Hub's Risk Assessment Engine guides solo therapists through every required evaluation area, scores your compliance posture, and generates a PDF report formatted for OCR review. Start your free 14-day trial at hipaahubhealth.com.
Disclaimer: This article provides general educational information about HIPAA requirements and does not constitute legal advice.