What Is a HIPAA Risk Assessment?
A HIPAA risk assessment is a systematic evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information (PHI) held by a covered entity or business associate. Required under the HIPAA Security Rule (45 CFR § 164.308), this assessment identifies threats, evaluates existing safeguards, and determines whether current security measures adequately protect electronic PHI (ePHI).
Every healthcare organization that creates, receives, maintains, or transmits PHI must conduct a HIPAA risk assessment — and it must be thorough, documented, and updated regularly. Failure to do so is one of the most commonly cited violations in OCR enforcement actions, with fines ranging from $100,000 to over $5.5 million.
Medcurity’s AI-powered platform automates the HIPAA risk assessment process, guiding organizations step-by-step through a comprehensive Security Risk Analysis that satisfies OCR requirements — without expensive consultants or complex spreadsheets. See how it works →
Who Must Conduct a HIPAA Risk Assessment?
The HIPAA Security Rule applies to all covered entities and their business associates. This includes:
- Healthcare providers — hospitals, physician practices, dental offices, mental health providers, chiropractors, pharmacies, and any provider who transmits health information electronically
- Health plans — health insurance companies, HMOs, employer-sponsored health plans, Medicare, and Medicaid
- Healthcare clearinghouses — entities that process nonstandard health information into standard formats
- Business associates — any organization that handles PHI on behalf of a covered entity, including IT vendors, billing companies, cloud service providers, shredding companies, EHR platforms, and consultants
Notably, OCR data shows that approximately 40% of all HIPAA breaches involving 500+ records are attributable to business associates. Yet many business associates still fail to conduct their own independent risk assessments — a gap that has led to significant enforcement actions.
The Two Required HIPAA Risk Assessments
1. HIPAA Security Risk Assessment (Required)
The primary HIPAA risk assessment requirement appears in the Security Management Process standard (45 CFR § 164.308(a)(1)). This requires organizations to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
The objectives of this assessment, as outlined in the HIPAA Security Rule’s General Rules (45 CFR § 164.306), are to:
- Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted
- Protect against reasonably anticipated threats or hazards to the security or integrity of ePHI
- Protect against reasonably anticipated impermissible uses or disclosures
- Ensure workforce compliance through training and sanctions policies
2. HIPAA Breach Risk Assessment (Situational)
The second risk assessment requirement appears in the HIPAA Breach Notification Rule (45 CFR § 164.402). When an impermissible acquisition, access, use, or disclosure of unsecured PHI occurs, organizations must assess whether the incident constitutes a reportable breach by evaluating:
- The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification
- The unauthorized person who accessed or received the PHI
- Whether the PHI was actually acquired or viewed
- The extent to which risk to the PHI has been mitigated
Organizations may skip this assessment and report every incident as a breach, but doing so risks triggering unnecessary OCR scrutiny and eroding patient trust through excessive notifications.
3. HIPAA Privacy Risk Assessment (Recommended)
While not explicitly required as a standalone assessment, conducting a privacy risk assessment is considered best practice. This assessment extends beyond ePHI to cover verbal disclosures, paper records, individual access rights, and Business Associate Agreement compliance — areas where many organizations have significant gaps.
How to Conduct a HIPAA Risk Assessment: Step-by-Step
A thorough HIPAA risk assessment follows a structured methodology. While the Security Rule allows flexibility in approach, OCR expects organizations to address each of the following steps. Read our detailed step-by-step guide →
Step 1: Define the Scope
Identify all systems, applications, and locations where ePHI is created, received, maintained, or transmitted. This includes EHR systems, email servers, cloud storage, mobile devices, backup media, and any third-party platforms. Many organizations underestimate scope by overlooking devices like fax machines, copiers with hard drives, and personal smartphones used for work.
Step 2: Identify Threats and Vulnerabilities
Document all reasonably anticipated threats to each system or asset identified in Step 1. Threats fall into several categories:
- Natural threats — floods, earthquakes, power outages, severe weather
- Human threats — hacking, phishing, ransomware, social engineering, insider threats, unauthorized access
- Environmental threats — hardware failure, software bugs, power surges, HVAC failure in server rooms
- Process threats — lack of training, missing policies, inadequate access controls, improper disposal
Step 3: Assess Current Security Measures
Evaluate the administrative, physical, and technical safeguards currently in place. This includes reviewing access controls, encryption practices, audit logs, physical security, workforce training, incident response plans, and Business Associate Agreements. The goal is to determine whether existing measures adequately address identified threats.
Step 4: Determine the Likelihood and Impact of Threats
For each threat-vulnerability combination, assess the probability of occurrence (high, medium, low) and the potential impact if the threat materializes. Most organizations use a qualitative risk matrix to assign risk levels, though quantitative approaches can also be effective for larger organizations.
Step 5: Assign Risk Levels and Prioritize
Combine likelihood and impact ratings to determine an overall risk level for each identified risk. This prioritization drives your remediation plan — high-risk items should be addressed immediately, while lower-risk items can be scheduled for future remediation cycles.
Step 6: Document Everything
Thorough documentation is not optional. OCR expects to see written evidence of your risk assessment methodology, findings, risk levels, and remediation plans. Organizations that conduct assessments but fail to document them have still been found non-compliant.
Step 7: Develop and Implement a Remediation Plan
Create an actionable plan to address identified risks, starting with the highest-priority items. Assign ownership, set deadlines, and track progress. New policies and procedures should be developed where gaps exist, and workforce training should be updated to reflect any changes.
Step 8: Review and Update Regularly
A HIPAA risk assessment is not a one-time exercise. Organizations should review and update their assessment at least annually, and whenever significant changes occur — such as new technology deployments, organizational restructuring, security incidents, or changes in regulations. The 2026 HIPAA Security Rule updates make this particularly important right now.
Simplify your risk assessment with Medcurity. Our AI-powered platform walks your team through every step of the HIPAA Security Risk Analysis, automatically generates documentation, tracks remediation progress, and maintains a continuous compliance posture — all starting at $25/month. Request a demo →
HIPAA Security Rule Safeguards: What Your Risk Assessment Must Cover
The HIPAA Security Rule organizes its requirements into three categories of safeguards. Your risk assessment must evaluate compliance with each:
Administrative Safeguards (45 CFR § 164.308)
Administrative safeguards are the policies, procedures, and actions that manage the selection, development, implementation, and maintenance of security measures. Key standards include:
- Security Management Process — Risk analysis, risk management, sanction policy, and information system activity review
- Assigned Security Responsibility — Designation of a security official responsible for HIPAA compliance
- Workforce Security — Authorization, supervision, clearance procedures, and termination procedures
- Information Access Management — Access authorization, establishment, and modification controls
- Security Awareness Training — Regular training on security reminders, malware protection, login monitoring, and password management
- Security Incident Procedures — Response and reporting protocols for security events
- Contingency Planning — Data backup, disaster recovery, emergency mode operations, and testing
- Evaluation — Periodic assessment of security program effectiveness
- Business Associate Contracts — Written agreements with all entities handling ePHI
Physical Safeguards (45 CFR § 164.310)
Physical safeguards protect electronic information systems, equipment, and the buildings that house them:
- Facility Access Controls — Physical security plans, access validation, and maintenance records
- Workstation Use and Security — Policies for appropriate workstation use and physical security measures
- Device and Media Controls — Disposal, re-use, accountability, and data backup procedures for hardware and media
Technical Safeguards (45 CFR § 164.312)
Technical safeguards are the technology and related policies that protect ePHI and control access:
- Access Controls — Unique user identification, emergency access, automatic logoff, and encryption
- Audit Controls — Hardware, software, and procedural mechanisms to record and examine system activity
- Integrity Controls — Mechanisms to authenticate and protect ePHI from improper alteration or destruction
- Person or Entity Authentication — Verification of identity before granting access to ePHI
- Transmission Security — Integrity controls and encryption for ePHI transmitted over electronic networks
The Cost of Not Conducting a HIPAA Risk Assessment
OCR has made it clear that failing to conduct a risk assessment is among the most serious HIPAA violations. Recent enforcement actions demonstrate the financial and operational consequences:
- Advocate Health Care Network — $5.55 million settlement for failing to conduct an enterprise-wide risk assessment
- Premera Blue Cross — $6.85 million for insufficient risk assessment practices that contributed to a breach affecting 10.4 million people
- Banner Health — $1.25 million for failure to conduct an accurate risk analysis covering all ePHI
- North Memorial Health Care — $1.55 million for failing to conduct a risk assessment and not having a BAA with a major contractor
- Catholic Health Care Services — $650,000 for not conducting a risk assessment since 2013
Beyond financial penalties, organizations face reputational damage, loss of patient trust, operational disruption from breach remediation, and the cost of credit monitoring services for affected individuals. For small practices, a single HIPAA breach can be existential.
HIPAA Risk Assessment Tools and Software
Several tools exist to assist organizations with the HIPAA risk assessment process:
HHS Security Risk Assessment (SRA) Tool
The Office of the National Coordinator for Health IT (ONC) and OCR developed a free downloadable SRA tool aimed at small and medium-sized practices. While helpful for identifying some vulnerabilities, the tool’s own User Guide states it “is not a guarantee of HIPAA compliance.” It lacks risk level assignment guidance, remediation tracking, and policy generation capabilities.
Spreadsheet-Based Approaches
Many organizations attempt risk assessments using Excel spreadsheets or Google Sheets. While flexible, this approach is difficult to maintain over time, lacks version control, provides no automated guidance, and makes it challenging to demonstrate compliance during an audit.
Consultant-Led Assessments
Hiring a HIPAA compliance consultant can produce thorough results but typically costs $5,000-$30,000+ per assessment and creates dependency on external expertise. Organizations still need to maintain compliance between consultant visits.
Cloud-Based HIPAA Compliance Platforms
Modern HIPAA compliance software platforms combine risk assessment tools with remediation tracking, policy management, training, and continuous monitoring. These platforms offer the most comprehensive and cost-effective approach for most organizations.
Medcurity combines the best of all approaches. Our platform provides guided, AI-powered risk assessments that are more thorough than the free SRA tool, more affordable than consultants, and more maintainable than spreadsheets. We include Security Risk Analysis, policy generation, BAA tracking, remediation management, and network vulnerability assessment — all in one platform starting at $25/month. Explore Medcurity →
HIPAA Risk Assessment Best Practices for 2026
With the proposed HIPAA Security Rule changes and the evolving threat landscape, organizations should adopt these best practices:
- Conduct assessments at least annually — and more frequently when significant changes occur to your environment, technology, or the regulatory landscape
- Include all forms of PHI — don’t limit your assessment to ePHI; consider paper records, verbal communications, and physical media
- Assess business associates independently — verify that your BAs conduct their own risk assessments and can provide documentation
- Use a consistent methodology — whether NIST, OCTAVE, or another framework, consistency enables meaningful year-over-year comparisons
- Involve leadership — risk assessments should not be delegated entirely to IT; clinical, administrative, and executive stakeholders all have critical insights
- Address AI and telehealth risks — the growth of telehealth and AI-powered clinical tools introduces new risk vectors that many assessments overlook
- Document remediation progress — OCR recognizes that not all risks can be addressed immediately, but expects documented plans with timelines and assigned responsibility
- Test your incident response plan — a risk assessment that identifies incident response gaps is only valuable if those gaps are actually closed through tabletop exercises and testing
HIPAA Risk Assessment by Organization Type
Risk assessment requirements apply equally to all covered entities and business associates, but the practical approach varies by organization type:
Small Medical Practices
Small practices face unique challenges: limited IT staff, tight budgets, and the misconception that small size equals small risk. In reality, OCR investigates and fines small practices regularly. The key is using right-sized tools that provide comprehensive coverage without requiring deep technical expertise. Learn about HIPAA risk assessments for small practices →
Hospitals and Health Systems
Large organizations must contend with complex technology ecosystems, numerous business associate relationships, and distributed workforces. Enterprise risk assessments require coordination across departments and often benefit from phased approaches that address the highest-risk areas first.
Business Associates and IT Vendors
Business associates must conduct their own independent risk assessments — they cannot rely on the covered entity’s assessment to cover their obligations. This is particularly important for cloud service providers, EHR vendors, and managed service providers who handle ePHI for multiple covered entities.
Dental Practices
Dental practices are fully subject to HIPAA requirements but often underestimate their compliance obligations. Digital imaging systems, practice management software, and electronic claims submission all create ePHI that must be assessed. See our dental practice guide →
Mental Health and Behavioral Health Providers
Mental health providers handle particularly sensitive PHI, including psychotherapy notes that receive extra protection under HIPAA. Risk assessments for these organizations must pay special attention to access controls, minimum necessary standards, and the unique confidentiality requirements of 42 CFR Part 2 for substance use disorder records.
Common HIPAA Risk Assessment Mistakes
After working with hundreds of healthcare organizations, we’ve identified the most frequent risk assessment pitfalls:
- Treating it as a checkbox exercise — rushing through the assessment to “get it done” rather than conducting a genuinely thorough evaluation
- Failing to document the methodology — OCR expects to see not just results but the process used to arrive at those results
- Ignoring non-electronic PHI — a comprehensive assessment must include paper records, verbal communications, and physical security
- Overlooking business associates — your risk assessment should evaluate BA compliance and BAA adequacy
- Not updating after changes — a risk assessment from 2023 does not satisfy 2026 requirements if your environment has changed significantly
- Confusing risk assessment with risk analysis — assessment identifies risks; analysis assigns risk levels for prioritization. Both are required.
- Failing to create a remediation plan — identifying risks without a documented plan to address them is insufficient
- Not involving the right stakeholders — risk assessments conducted solely by IT miss clinical and operational risks
Related Resources
Explore our comprehensive library of HIPAA compliance resources:
- The Comprehensive Guide to HIPAA Risk Assessments — our in-depth pillar guide covering every aspect of the risk assessment process
- How to Conduct a HIPAA Risk Assessment: Step-by-Step
- What Is a HIPAA Security Risk Analysis?
- The Complete HIPAA Compliance Checklist for 2026
- HIPAA Security Rule Changes in 2026
- HIPAA Compliance Software Comparison
- Network Vulnerability Assessments and HIPAA
- HIPAA Training Requirements in 2026
HIPAA Risk Assessment FAQ
What is a HIPAA risk assessment?
A HIPAA risk assessment is a required evaluation that healthcare organizations and their business associates must conduct to identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of protected health information (PHI). The requirement appears in the HIPAA Security Rule (45 CFR § 164.308) and is one of the most commonly cited areas in OCR enforcement actions.
How often should a HIPAA risk assessment be conducted?
While HIPAA does not specify an exact frequency, OCR guidance and industry best practice recommend conducting a risk assessment at least annually. Additionally, assessments should be updated whenever significant changes occur to your organization’s technology, operations, or the regulatory environment — such as the 2026 proposed HIPAA Security Rule changes.
What is the difference between a HIPAA risk assessment and a HIPAA risk analysis?
A HIPAA risk assessment identifies the risks and vulnerabilities to PHI within your organization. A risk analysis goes further by assigning likelihood and impact ratings to each identified risk, producing a prioritized risk matrix. In practice, the terms are often used interchangeably, but a complete compliance program requires both identification (assessment) and prioritization (analysis).
What happens if you don’t conduct a HIPAA risk assessment?
Failing to conduct a HIPAA risk assessment can result in significant financial penalties from OCR, ranging from $100,000 to over $5.5 million depending on the severity and level of negligence. Beyond fines, organizations face increased breach risk, reputational damage, loss of patient trust, and potential litigation. Several organizations have been fined specifically for lacking a risk assessment — even without an actual data breach occurring.
Can I use the free HHS SRA tool for my HIPAA risk assessment?
The HHS Security Risk Assessment (SRA) tool can help identify some vulnerabilities, particularly for small practices. However, the tool’s own documentation states it “is not a guarantee of HIPAA compliance.” It lacks risk level assignment guidance, remediation tracking, policy generation, and continuous monitoring capabilities. Most organizations benefit from a more comprehensive platform that provides guided assessments, automated documentation, and ongoing compliance management.
Do business associates need to conduct their own HIPAA risk assessment?
Yes. Business associates are independently required to comply with the HIPAA Security Rule and must conduct their own thorough risk assessments. They cannot rely on the covered entity’s assessment. This applies to all organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity, including IT vendors, billing companies, cloud service providers, and consultants.
What should a HIPAA risk assessment include?
A comprehensive HIPAA risk assessment should include: identification of all ePHI assets and data flows, identification of threats and vulnerabilities for each asset, evaluation of current security measures (administrative, physical, and technical safeguards), likelihood and impact ratings for each risk, a prioritized risk matrix, documented remediation plans with timelines and assigned ownership, and evidence of the methodology used.
How much does a HIPAA risk assessment cost?
Costs vary significantly by approach. Hiring a consultant typically costs $5,000-$30,000+ per assessment. The HHS SRA tool is free but limited. Cloud-based compliance platforms like Medcurity start at $25/month and provide comprehensive, ongoing risk assessment capabilities along with remediation tracking, policy management, and continuous compliance monitoring.
What is the difference between a HIPAA risk assessment and a HIPAA compliance audit?
A HIPAA risk assessment is an internal process that identifies threats and vulnerabilities to PHI so your organization can implement appropriate safeguards. A HIPAA compliance audit is typically an external evaluation (often by OCR or a third-party auditor) that assesses your organization’s overall compliance with HIPAA Privacy, Security, and Breach Notification Rules. A thorough risk assessment is one of the first things auditors look for during a compliance audit.
Is there a HIPAA risk assessment template I can use?
There is no universal HIPAA risk assessment template because organizations vary significantly in size, complexity, and the types of PHI they handle. Any template found online should be treated with caution, as it likely won’t cover all risks specific to your organization. A better approach is using a guided platform that adapts to your organization’s unique environment while ensuring all required elements are addressed.