HIPAA Risk Assessment Guide for Healthcare Organizations

Introduction

OCR audit data reveals that only 14% of covered entities and 17% of business associates substantially fulfill HIPAA's risk assessment requirement - making it one of the most frequently cited violations in federal enforcement actions. For most organizations, the problem isn't awareness. It's execution.

The HIPAA Security Rule (45 CFR §164.308) requires covered entities and business associates to conduct a structured assessment of potential threats to protected health information (PHI). Healthcare organizations, compliance officers, IT security teams, and business associates all share this obligation - yet many struggle to move beyond checkbox compliance into assessments that hold up under OCR scrutiny.

This guide walks through what a defensible HIPAA risk assessment actually requires: how to scope it correctly, identify and evaluate threats, document your findings, and close gaps before they become violations.

Overview

HIPAA risk assessments are federally mandated under the Security Rule (45 CFR §164.308) for all covered entities and business associates
Three distinct types exist: security (for ePHI), breach (triggered by impermissible disclosures), and privacy (for non-electronic PHI and workflows)
Reassess whenever significant changes occur: new technology, security incidents, workforce shifts, or ownership changes
Skipping or skimping on a risk assessment invites OCR enforcement, financial penalties, and reputational damage

What Is a HIPAA Risk Assessment (and Why Is It Legally Required)?

A HIPAA risk assessment is a structured evaluation of potential risks and vulnerabilities to PHI, designed to determine whether existing safeguards adequately reduce those risks to a reasonable and appropriate level. Two specific legal triggers require these assessments:

45 CFR §164.308(a)(1)(ii)(A) mandates security risk assessments for electronic protected health information (ePHI)
45 CFR §164.402 requires breach risk assessments when an impermissible disclosure of PHI occurs

Risk Assessment vs. Risk Analysis

While the terms are often used interchangeably, there's an important distinction: risk analysis (the official regulatory term in the Security Rule) identifies what risks exist, while risk assessment assigns likelihood and impact ratings to each risk, enabling prioritization. In practice, both steps are required - risk analysis tells you what threats exist, and risk assessment tells you which ones to address first.

Who Must Comply

Understanding these definitions matters before conducting any assessment. Covered entities include:

Health plans
Healthcare clearinghouses
Healthcare providers who transmit health information electronically

Business associates include:

Billing companies
IT vendors and cloud storage providers
Subcontractors handling PHI

According to the January 2025 Federal Register notice, business associates submitted only 21% of breach reports affecting 500+ individuals in 2023. Yet those incidents accounted for 49% of all affected individuals. That gap reflects the outsized risk posed when third-party vendors mishandle PHI.

The Three Types of HIPAA Risk Assessments Healthcare Organizations Must Know

HIPAA risk assessments are not one-size-fits-all. Healthcare organizations may need to conduct all three types depending on their operations, and conflating them creates dangerous compliance gaps.

HIPAA Security Risk Assessment

This is the primary mandatory assessment under §164.308(a)(1), covering all ePHI the organization creates, receives, maintains, or transmits. It spans administrative, physical, and technical safeguards.

It evaluates:

ePHI across all electronic media (servers, workstations, cloud environments, portable devices)
Internal and external threats
Existing security controls and whether they're configured and used properly

The Security Rule allows "flexibility of approach" in implementation but does not make the assessment optional.

HIPAA Breach Risk Assessment

Unlike the Security Risk Assessment, this one is reactive - triggered when an impermissible acquisition, access, use, or disclosure of PHI occurs.

Under the Breach Notification Rule, any such event is presumed a notifiable breach unless the organization demonstrates a low probability of compromise using a four-factor analysis:

Nature and extent of PHI involved (including likelihood of re-identification)
Identity of the unauthorized person who accessed it
Whether PHI was actually acquired or viewed
Extent to which risk has been mitigated

Four-factor HIPAA breach risk assessment analysis decision framework infographic

Organizations can notify on every impermissible disclosure, but excessive notifications trigger OCR compliance reviews and erode patient trust.

HIPAA Privacy Risk Assessment

Where the Security Assessment focuses on electronic systems, this one targets non-electronic PHI risks: verbal disclosures, printed records, and workflow vulnerabilities. It also covers patient access rights, Business Associate Agreements, and organizational requirements under the Privacy Rule - and it's the most commonly overlooked of the three.

Core requirements under 45 CFR §164.530 include:

Appointing a Privacy Officer
Mapping PHI flows internally and externally
Conducting a gap analysis
Developing a privacy compliance program with staff training

How to Conduct a HIPAA Security Risk Assessment

There is no single prescribed methodology under the HIPAA Security Rule, but OCR guidance aligned with NIST SP 800-30 outlines core elements any methodology must address. All findings must be documented.

Step 1: Define Scope and Identify ePHI

Scope must include all ePHI the organization creates, receives, maintains, or transmits - across every electronic medium:

Hard drives and servers
Cloud storage platforms
Mobile devices and tablets
Network infrastructure

Organizations should document data flows by interviewing staff, reviewing existing documentation, and inventorying systems. This step is commonly underscoped when organizations only consider primary EHR systems, missing risks in email, portable devices, and cloud file-sharing tools.

Step 2: Identify Threats and Vulnerabilities

Threats fall into three categories:

Human: Cyberattacks, insider error, malicious insiders
Natural: Floods, fires, severe weather
Environmental: Power failures, hardware failures

Vulnerabilities are the weaknesses those threats could exploit. Both must be documented, including threats unique to the organization's environment.

Step 3: Assess Likelihood and Impact

For each threat-vulnerability combination, estimate:

Probability of occurrence (likelihood)
Resulting impact on confidentiality, integrity, and availability of ePHI

Qualitative or quantitative methods (or a combination) are acceptable. The output should be a documented list of all threat-vulnerability pairs with associated likelihood and impact ratings.

Step 4: Determine Risk Levels and Prioritize

Risk levels are calculated by combining likelihood and impact scores, often using a risk matrix. The resulting risk rankings guide remediation prioritization - critical risks are addressed first.

The updated HHS SRA Tool v3.6 (released September 2025) uses NIST-aligned terminology and scoring. While it's a free starting resource for smaller practices, the User Guide explicitly states: "Use of this tool is neither required by nor guarantees compliance with federal, state or local laws."

Step 5: Document All Findings

The Security Rule requires risk analysis documentation but doesn't specify a format. Documentation must include:

Scope definition
Data collected during assessment
Identified threats and vulnerabilities
Likelihood and impact ratings
Risk levels assigned
Planned corrective actions

HIPAA risk assessment required documentation checklist six components overview

Records must be retained for at least six years under 45 CFR §164.316(b)(2)(i). OCR frequently cites inadequate documentation as a compliance failure - recent enforcement actions include:

Top of the World Ranch Treatment Center: $103,000 settlement for failing to conduct an accurate and thorough risk analysis
BST & Co. CPAs, LLP: $175,000 settlement for the same violation

Step 6: Review and Update Continuously

Those enforcement actions share a common thread: gaps that went undetected too long. Risk assessment is an ongoing process, not a one-time event. Reassessment should occur when:

New technology is introduced
Significant organizational changes occur (ownership, key personnel)
Following a security incident
At minimum annually

Most organizations struggle to maintain visibility between formal assessment cycles. Cybriant's continuous vulnerability scanning and 24/7 managed security monitoring close that gap - detecting vulnerabilities as they emerge rather than weeks later during a scheduled scan. This cuts the time attackers have to exploit undetected weaknesses and supports the continuous monitoring posture OCR expects covered entities to maintain.

Key Factors and Common Mistakes That Undermine HIPAA Risk Assessments

Not all risk assessments carry the same scope or complexity. Four variables typically determine the depth and approach required:

Small practices face different risk profiles than large health systems, so assessment methods need to match organizational size and structure
Higher volumes of sensitive PHI demand more comprehensive controls and broader asset coverage
Business associate relationships introduce external risk vectors that must be explicitly included, not assumed
Infrastructure choices - cloud vs. on-premise, remote workforces, legacy systems - each create distinct vulnerability patterns

The Scoping Mistake

The most common error is scoping the assessment too narrowly. Many organizations focus only on their EHR or billing system and miss risks in:

Email systems
Portable devices (laptops, tablets, smartphones)
Cloud file-sharing tools
Verbal and print PHI workflows

OCR enforcement actions frequently involve risks that weren't identified because they fell outside the assessed scope. University of Rochester Medical Center paid $3 million after failing to conduct an enterprise-wide risk analysis, specifically omitting unencrypted flash drives and personal laptops.

OCR HIPAA enforcement action settlement documents and compliance penalty overview

Scoping failures often travel alongside a second, equally costly mistake: conflating risk assessment with compliance assessment.

Risk Assessment vs. Compliance Assessment

A risk assessment identifies threats and vulnerabilities so safeguards can be implemented. A compliance assessment (typically conducted by a third party) evaluates whether the organization meets HIPAA standards. Running one without the other leaves gaps - either in known vulnerabilities or in verified controls.

The Tool Misconception

Completing the HHS Security Risk Assessment Tool or any third-party tool does not constitute full HIPAA compliance. These tools help identify issues but don't provide customized risk ratings, policy recommendations, or remediation plans. The SRA tool User Guide explicitly states it is not a guarantee of compliance.

From Assessment to Action: Building Your Risk Management Plan

The risk assessment feeds directly into a risk management plan that prioritizes vulnerabilities by risk level, assigns remediation ownership, and establishes timelines. According to the 2016-2017 HIPAA Audits Industry Report, the most common reason organizations fail HIPAA audits is inadequate policies and procedures - often because findings from risk assessments aren't translated into documented controls.

Essential Risk Management Plan Components

A defensible risk management plan typically includes four core elements:

Address critical risks first, ranked by likelihood and impact scores
Update policies and procedures to close specific gaps identified in the assessment
Build workforce training around actual vulnerabilities found - not generic security awareness modules
Define sanctions for employees who violate security policies

Managing Residual Risk

Not every identified risk can be fully eliminated. Any risk remaining after mitigation must be:

Formally accepted by an authorized organizational leader
Documented with clear reasoning
Acknowledged to include financial, reputational, and operational implications

This residual risk acceptance process is a required component of a defensible compliance program under OCR guidance.

HIPAA risk management plan four core components from assessment to residual risk acceptance

Smaller healthcare organizations and those without dedicated security staff often struggle to move from assessment findings to an actionable remediation program. Working with a managed security service provider like Cybriant - which provides vulnerability management, 24/7 SOC monitoring, and Virtual CISO guidance - gives organizations a clear path from completing a risk assessment to sustaining ongoing compliance. Call 844-411-0404 to discuss a HIPAA risk assessment and the remediation support that follows.

Frequently Asked Questions

Does HIPAA require a risk assessment?

Yes, the HIPAA Security Rule (45 CFR §164.308(a)(1)) explicitly requires covered entities and business associates to conduct an accurate and thorough risk assessment of potential risks to ePHI. A second assessment may also be required under the Breach Notification Rule when an impermissible PHI disclosure occurs.

What is a HIPAA security risk assessment?

It's a structured evaluation of all potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI that an organization creates, receives, maintains, or transmits. The goal is to identify and reduce risks to a reasonable and appropriate level across all safeguard categories.

How often does HIPAA require a security risk assessment?

HIPAA doesn't specify a fixed frequency, but OCR guidance indicates the process should be ongoing. Reassessment is required whenever significant changes occur - new technology deployments, organizational restructuring, or security incidents - and most organizations schedule a formal review at least annually.

What factors should be considered in a risk assessment for a HIPAA breach?

The four-factor test under the Breach Notification Rule examines: (1) nature and extent of the PHI involved (including likelihood of re-identification); (2) identity of the unauthorized person who accessed it; (3) whether PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated.

What is the 2025 HIPAA security rule update?

In January 2025, HHS OCR proposed significant updates to the HIPAA Security Rule. Key proposed changes include:

Mandatory multi-factor authentication and encryption
Network segmentation and technology asset inventories
Enhanced vulnerability management with automated scanning and penetration testing

The rule remains in proposed status as of May 2026.

What does the low probability standard provided by HIPAA mean?

Under the Breach Notification Rule, an impermissible use or disclosure of PHI is presumed to be a reportable breach unless the organization demonstrates - through a four-factor risk assessment - that there is a low probability the PHI has been compromised. If this standard is met, breach notification to HHS and affected individuals is not required.