What Is a HIPAA Security Risk Assessment?
A HIPAA security risk assessment — formally called a risk analysis under the HIPAA Security Rule — is a mandated evaluation of every threat and vulnerability that could affect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) your organization creates, receives, maintains, or transmits. This is not a one-time checkbox exercise. The HIPAA Security Rule, codified at 45 CFR Part 164, requires covered entities and business associates to conduct an accurate and thorough assessment as the foundation for every other security safeguard they put in place.
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) has made risk analysis the centerpiece of its enforcement program. In virtually every settlement and civil monetary penalty OCR has issued, failure to conduct a thorough risk assessment is cited as a primary — and often the primary — violation. Understanding what the assessment requires, how to execute one correctly, and how to document your results is essential for any healthcare organization handling patient data in 2026.
Unlike a general IT audit or a penetration test, the HIPAA security risk assessment is a structured process that maps threats and vulnerabilities to specific ePHI assets and quantifies the probability and potential impact of harm. The result drives your entire HIPAA risk management program: what to fix, in what order, and to what standard. Organizations that skip this step do not just face regulatory exposure — they leave their patients, their reputations, and their operations exposed to preventable breaches.
HIPAA Breach and Enforcement By The Numbers
IBM Cost of a Data Breach Report 2024 — the highest of any industry for 14 consecutive years
HHS OCR Breach Reporting Portal — each affecting 500 or more individuals
HHS civil monetary penalty cap for willful neglect violations left uncorrected
Who Must Conduct a HIPAA Security Risk Assessment?
The HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A) requires every covered entity and business associate to conduct a risk analysis. This applies to a wide range of organizations — not just large hospital systems.
Covered Entities
- Physician practices, dental offices, and specialty clinics of any size
- Hospitals, health systems, and ambulatory surgery centers
- Pharmacies and pharmacy benefit managers
- Health insurance plans and managed care organizations
- Nursing facilities, home health agencies, and behavioral health providers
Business Associates
Business associates — vendors, contractors, and service providers who handle ePHI on behalf of covered entities — became directly liable under the HIPAA Security Rule following the 2013 Omnibus Rule. This includes:
- Electronic Health Record (EHR) vendors and cloud hosting providers
- Medical billing and revenue cycle management companies
- IT service providers with access to systems containing ePHI
- Legal firms and accountants who access patient records in the course of their engagement
If your organization falls into either category, the risk assessment is not a matter of discretion. OCR has resolved enforcement actions against solo physician practices, small dental offices, and independent business associates — organizational size does not reduce your compliance obligations or shield you from penalties. For a broader look at how Bellator Cyber Guard approaches HIPAA compliance for healthcare organizations, including how managed services fit into your risk posture, visit our healthcare security page.
How to Conduct a HIPAA Security Risk Assessment: 7 Steps
Define the Scope and Identify All ePHI
Map every location where ePHI exists: EHR systems, practice management software, email servers, portable devices, cloud storage, backup media, and paper-to-digital workflows. Use a structured asset inventory. Assessments that miss ePHI locations are incomplete and indefensible to OCR.
Identify Potential Threats to ePHI
Document all reasonably anticipated threats — natural (flood, fire), human (insider misuse, external hacking), and environmental (power failures, hardware failures). NIST SP 800-30 Rev. 1 provides a standard threat catalog you can adapt for healthcare settings.
Identify and Document Vulnerabilities
For each threat, identify the technical, administrative, and physical weaknesses that could allow it to succeed. Examples include unpatched software, missing multi-factor authentication, inadequate workforce training, and unlocked server rooms.
Assess Existing Security Controls
Evaluate controls already in place — firewalls, encryption, access management policies, audit logs, physical locks — and determine their effectiveness at mitigating each identified threat. Gap analysis against the HIPAA Security Rule's required and addressable implementation specifications is essential here.
Determine Likelihood and Impact
For each threat-vulnerability pair, assign a probability rating (high/medium/low) and a potential impact level if ePHI is compromised. Combine these to produce a risk level. Use a consistent rating methodology so your results are reproducible and defensible in an OCR audit.
Document All Findings in a Risk Register
Produce a written risk register listing every identified risk, its rating, existing controls, and the gap between current and required protection. This document is the primary deliverable OCR will request in an audit or complaint investigation.
Develop and Implement a Risk Management Plan
Translate your risk register into a prioritized remediation plan with assigned owners, timelines, and success criteria. Document residual risk decisions. Risk management is a continuous process — reassess after significant operational or environmental changes.
Common Vulnerabilities Uncovered During HIPAA Risk Assessments
Across healthcare security engagements, the same categories of vulnerabilities appear in nearly every organization that has not conducted a formal HIPAA security risk assessment. Knowing what to look for helps you prioritize efficiently and allocate remediation resources where they will have the greatest impact.
Unencrypted Devices and Portable Media
Laptops, smartphones, USB drives, and external hard drives containing ePHI that lack full-disk encryption are among the most frequently cited HIPAA violations. OCR has levied fines from $50,000 to over $3 million for single incidents involving unencrypted devices. The HIPAA Security Rule's addressable specification at §164.312(a)(2)(iv) requires covered entities to implement encryption where reasonable and appropriate — and OCR consistently finds it is, for virtually all modern devices.
Inadequate Access Controls
Role-based access is required under §164.312(a)(1), yet many practices still grant all staff members broad access to their EHR or billing system. Each user account should have access only to the ePHI necessary for that individual's job function. Privileged accounts — those with administrative rights — need additional controls, including multi-factor authentication (MFA) and regular access reviews. Shared login credentials, a common workaround in understaffed practices, make individual accountability impossible and audit logs meaningless.
Missing or Incomplete Audit Logs
The audit control standard at §164.312(b) requires hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. Practices running EHR systems with audit logging disabled — or logging enabled but never reviewed — face significant enforcement exposure. Effective audit log programs require both the technical capability to capture activity and the administrative process to review logs on a defined schedule.
Outdated Software and Unpatched Systems
End-of-life operating systems and unpatched applications are the entry point for the majority of ransomware attacks targeting healthcare. The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector grew 180% year-over-year. A disciplined patch management program directly reduces your HIPAA risk profile and your exposure to the ransomware groups that specifically target healthcare organizations.
Insufficient Workforce Training
Phishing remains the most common initial access method used against healthcare organizations. Security awareness training is an addressable implementation specification under §164.308(a)(5), but satisfying that specification requires more than an annual email reminder. Effective programs use simulated phishing exercises, role-based training modules, and documented completion records. See our guide on HIPAA compliance essentials for small practices for a practical workforce training framework.
Key Components of a Thorough HIPAA Security Risk Assessment
ePHI Asset Inventory
A complete map of all systems, devices, and workflows that create, receive, store, or transmit ePHI — including shadow IT and cloud services staff use without formal approval.
Threat and Vulnerability Catalog
A structured inventory of reasonably anticipated threats and the specific vulnerabilities each could exploit, drawn from NIST SP 800-30 and healthcare-specific threat intelligence sources.
Security Control Evaluation
Assessment of all technical, administrative, and physical safeguards against HIPAA Security Rule required and addressable specifications — with documented gap analysis for each.
Quantified Risk Ratings
Each identified risk rated by likelihood and impact using a repeatable methodology, producing a prioritized risk register that drives your remediation roadmap.
Audit Trail Documentation
Complete written documentation of the assessment methodology, scope, findings, and risk decisions — structured to satisfy OCR audit requests and demonstrate good-faith compliance.
Risk Management Plan
A prioritized, time-bound remediation plan aligned to your risk ratings, with assigned ownership and defined success criteria for each corrective action item.
Risk Management: Turning Assessment Findings Into Action
The HIPAA Security Rule distinguishes between the risk analysis (§164.308(a)(1)(ii)(A)) and risk management (§164.308(a)(1)(ii)(B)). Too many organizations stop at the analysis — producing a risk document but failing to implement a plan that actually reduces identified risks. OCR enforcement actions frequently cite both failures together, and the absence of a risk management plan is treated as evidence that the risk analysis itself was not taken seriously.
Effective risk management begins with prioritization. Not every finding in your risk register warrants the same urgency or investment. A structured approach sequences remediation by risk level:
- High-risk findings: Address immediately. These represent threats with high likelihood and high impact — active ransomware entry points, unencrypted ePHI at rest, or missing access controls on systems with broad patient data exposure. Timelines should be measured in days to weeks, not quarters.
- Medium-risk findings: Address within 30 to 90 days with a documented plan and assigned owners. Common examples include software patch backlogs, incomplete audit log configurations, and gaps in workforce training completion.
- Low-risk findings: Address within your normal security program cycle, typically 90 to 180 days. These still require documentation demonstrating active management.
For risks your organization chooses not to fully remediate — due to cost, operational constraints, or compensating controls already in place — you must document a formal risk acceptance decision with rationale signed by organizational leadership. OCR does not require zero risk; the standard is reasonable and appropriate risk management. What it will not accept is silence. Undocumented decisions look like willful neglect during an investigation.
The NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments provides the foundational methodology that OCR's own risk analysis guidance aligns with and frequently references. Using NIST 800-30 as your framework gives your assessment methodology recognized structure that holds up under OCR scrutiny. Your risk management program also needs a defined trigger for reassessment — any significant change to your environment, including a new EHR system, a merger, a security incident, or new remote work policies, should prompt an interim assessment update. Our team can help you build a continuous asset management and security assessment program that keeps your risk posture current between formal annual reviews.
HIPAA Security Risk Assessment: DIY vs. Managed vs. No Assessment
| Feature | DIY Assessment | RecommendedManaged SRA | No Assessment |
|---|---|---|---|
| Regulatory Compliance | Partial — depends on staff expertise and methodology | Full — aligned to OCR guidance and NIST 800-30 | Direct violation — guaranteed OCR finding |
| Time Investment | 40–120 staff hours over several weeks | 5–10 staff hours for coordination | 0 hours (until a breach or audit) |
| Technical Depth | Limited by internal knowledge and tools | Full technical, administrative, and physical review | None |
| OCR Audit Defensibility | Moderate — methodology gaps common | High — documented methodology and deliverables | None |
| Ongoing Risk Management Support | Manual — easily deprioritized under operational pressure | Structured program with scheduled reassessment triggers | None |
| Estimated Financial Exposure | Staff time plus any required tools | Defined engagement fee — predictable cost | $1,000–$50,000+ per violation; up to $1.9M annually |
Documentation Requirements: What OCR Expects to See
The HIPAA Security Rule requires covered entities and business associates to maintain documentation of their policies, procedures, and actions for a minimum of six years from the date of creation or the date it was last in effect, whichever is later (45 CFR §164.316(b)(2)). Your risk assessment documentation is fully subject to this retention requirement.
When OCR investigates a complaint or conducts a compliance audit, the first document request typically includes your most recent risk analysis. Specifically, investigators look for:
- A defined scope statement identifying all ePHI assets evaluated
- A documented methodology for identifying threats and vulnerabilities
- The specific threats and vulnerabilities identified for your organization's environment
- An assessment of current security controls and their measured effectiveness
- Assigned likelihood and impact ratings for each identified risk, with the basis for those ratings clearly stated
- A risk register or summary document listing all identified risks and their priority levels
- Evidence of a corresponding risk management plan with timelines and ownership assignments
- Records showing the assessment was reviewed and approved by organizational leadership
A vendor-provided questionnaire or a brief checklist does not constitute a thorough risk analysis under OCR's interpretation. In the Doctors' Management Services settlement (2023), OCR specifically noted that the organization had used a security questionnaire but had not conducted a proper risk analysis — contributing to a $100,000 civil monetary penalty. The quality and depth of your documentation matters as much as the fact that an assessment was performed.
Maintain a version history of each risk assessment update, along with records of what changed and why. This demonstrates the continuous nature of your risk management program and gives OCR investigators a clear compliance narrative if your organization is ever audited. Explore our HIPAA compliance checklist for a documentation framework your practice can begin implementing immediately.
OCR Audit Risk: Mergers, New Technology, and Environmental Changes
Any significant change to your operating environment requires a risk assessment update. OCR has cited organizations for failing to reassess risks after implementing new EHR systems, acquiring another practice, onboarding new business associates, or transitioning to cloud-based infrastructure. If your organization has experienced any of these changes in the past 12 months without a formal reassessment update, your current risk analysis may be out of scope — and out of compliance. Do not wait for a breach or complaint to find out.
HIPAA Enforcement: Penalties for an Inadequate Risk Assessment
The HIPAA civil monetary penalty structure, updated by the HITECH Act and subsequent HHS rulemaking, applies a tiered framework based on culpability. Understanding the tiers makes clear why proactive compliance is the only financially rational position.
Violation Category | Per Violation Range | Annual Cap |
|---|---|---|
Did Not Know | $100–$50,000 | $25,000 |
Reasonable Cause | $1,000–$50,000 | $100,000 |
Willful Neglect — Corrected | $10,000–$50,000 | $250,000 |
Willful Neglect — Not Corrected | $50,000 | $1,900,000 |
OCR's enforcement record demonstrates that failing to conduct a risk analysis is routinely treated as a willful neglect finding when the organization had been previously informed of the requirement — as every covered entity and business associate has been, given that the HIPAA Security Rule has been in effect since 2005. The IBM Cost of a Data Breach Report 2024 found that healthcare organizations face the highest average breach cost of any industry at $9.77 million — a figure that dwarfs the investment required to conduct and maintain a proper risk assessment program.
Beyond financial penalties, OCR can require a Corrective Action Plan (CAP) — a monitored remediation program typically lasting two to three years, during which the organization must submit periodic compliance reports. CAPs consume significant management attention and expose organizations to ongoing OCR scrutiny long after the original violation is resolved. In 2023 alone, OCR resolved enforcement actions totaling over $4.1 million in penalties, with risk analysis failures cited in the majority of cases.
Healthcare organizations also face state attorney general enforcement, potential class action litigation following breaches, and lasting reputational damage with patients and referring providers. The financial case for conducting a proactive HIPAA security risk assessment is straightforward: the cost of a managed assessment is a fraction of even the lowest penalty tier. For a deeper look at strengthening your organization's security posture, review our guidance on business network security and proactive threat hunting for healthcare environments.
Schedule Your HIPAA Security Risk Assessment
Bellator Cyber Guard's healthcare security specialists conduct thorough HIPAA security risk assessments aligned to OCR guidance and NIST SP 800-30. We deliver a complete risk register, prioritized remediation roadmap, and audit-ready documentation — so you are prepared before OCR comes calling.
Frequently Asked Questions: HIPAA Security Risk Assessment
A HIPAA security risk assessment — formally termed a risk analysis under the HIPAA Security Rule — is a mandated evaluation of threats and vulnerabilities affecting the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). Required under 45 CFR §164.308(a)(1)(ii)(A), it forms the foundation of every organization's HIPAA Security Rule compliance program. The assessment must be accurate, thorough, and documented in writing to satisfy OCR requirements and must cover all ePHI regardless of where it is stored or transmitted.
The HIPAA Security Rule does not prescribe a specific frequency, but OCR guidance and enforcement precedent establish annual reassessment as the baseline standard. Beyond that annual cycle, any significant operational change should trigger an interim reassessment update: new technology systems, a merger or acquisition, new or modified business associate relationships, changes to remote work policies, or a security incident. Organizations that have not updated their assessment following major changes are considered out of compliance even if they have a prior assessment on file.
Under the HIPAA Security Rule, the terms are used interchangeably in practice. The rule text uses "risk analysis" at §164.308(a)(1)(ii)(A), while OCR guidance, industry frameworks, and vendor offerings commonly use "risk assessment." Both refer to the same required process: identifying threats and vulnerabilities to ePHI, evaluating existing controls, and determining risk levels. The companion requirement, "risk management" at §164.308(a)(1)(ii)(B), is the separate and equally mandatory obligation to implement security measures that reduce identified risks to a reasonable and appropriate level.
HHS and ONC offer a free Security Risk Assessment (SRA) Tool that can support the process for small practices. However, using a questionnaire or automated tool alone — without documented methodology, organizational context, a qualified reviewer, and a corresponding risk management plan — does not satisfy OCR requirements. Enforcement actions have specifically cited organizations that submitted questionnaire outputs as their "risk analysis" without demonstrating the required analytical depth. Tools support the process; they do not replace it.
Yes. Following the 2013 HIPAA Omnibus Rule, business associates are directly liable under the HIPAA Security Rule, including the requirement to conduct a risk analysis. A business associate cannot rely on their covered entity client's risk assessment to satisfy their own compliance obligations. Each organization that creates, receives, maintains, or transmits ePHI must conduct and document its own assessment covering its specific systems, workflows, and threat environment.
Failure to conduct a risk analysis is a direct violation of 45 CFR §164.308(a)(1). Depending on OCR's determination of culpability, civil monetary penalties range from $1,000 to $50,000 per violation, with annual caps up to $1.9 million for willful neglect left uncorrected. OCR may also impose a multi-year Corrective Action Plan (CAP) placing your organization under ongoing compliance monitoring. In virtually every HIPAA resolution agreement published by OCR, missing or inadequate risk analysis is cited as a primary — often the leading — finding.
Timeline depends on your organization's size, the number of systems handling ePHI, and whether you engage an external specialist. A small practice conducting an internal assessment may spend 40 to 80 staff hours over several weeks. A managed assessment conducted by an experienced cybersecurity firm typically takes two to four weeks from kickoff to final deliverables, with significantly less internal staff time required. Larger health systems or those with complex, multi-site IT environments may require six to eight weeks for a thorough assessment covering all ePHI locations.
The HIPAA Security Rule requires documentation to be retained for a minimum of six years from the date of creation or the date it was last in effect, whichever is later (45 CFR §164.316(b)(2)). Retain the complete risk assessment report, your risk register, all supporting evidence (asset inventories, interview notes, vulnerability scan results, control test records), your risk management plan, and any risk acceptance decisions with their rationale. When you update your assessment, retain prior versions as well — OCR may request assessment history to evaluate the continuity and evolution of your compliance program.
No — these are distinct and complementary activities. A HIPAA security risk assessment is a structured analysis of threats, vulnerabilities, and controls across your entire ePHI environment; it is primarily an administrative and documentation exercise with defined regulatory requirements. A penetration test is a technical exercise in which security professionals actively attempt to exploit vulnerabilities in your systems to validate whether your controls would withstand a real attack. HIPAA does not specifically mandate penetration testing, but OCR considers it a reasonable and appropriate safeguard for organizations with significant ePHI exposure. The risk assessment identifies and prioritizes risks; penetration testing validates whether your mitigations actually work.
Free Consultation
Worried about HIPAA compliance?
Our healthcare cybersecurity team can assess your risks and build a protection plan.
