Complete Guide to HIPAA Security Risk Assessment Steps for Covered Entities

Scope the Assessment

Your first task is to define exactly what the HIPAA Security Risk Assessment will cover. Clarify which business units, clinical services, facilities, and third-party arrangements are in scope. Include all systems that create, receive, maintain, or transmit electronic protected health information (ePHI), from your EHR to cloud repositories and medical devices.

State why you are assessing (regulatory compliance, merger, technology refresh) and the period reviewed. Note assumptions, constraints, and known exclusions so reviewers understand decisions and limits.

Define purpose and boundary

• List in-scope assets: applications, databases, endpoints, networks, medical/IoT devices, backup and archival platforms.
• Identify data locations and jurisdictions impacting ePHI handling and retention.
• Name key stakeholders: privacy officer, security officer, IT, clinical leadership, and business associates.

Choose a methodology and criteria

• Select rating scales for likelihood and impact, and decide how you will prioritize results.
• Align evaluation with administrative safeguards, physical safeguards, and technical safeguards as required by the HIPAA Security Rule.

Gather Data

Collect the evidence you need to evaluate controls objectively. You are building a single, validated picture of how ePHI flows and where it may be exposed during its lifecycle.

Build an asset and data inventory

• Catalog systems, interfaces, vendors, and users that touch ePHI.
• Document data elements, storage locations, and retention periods.
• Create data flow diagrams showing creation, transmission, storage, and disposal.

Collect documentation and artifacts

• Policies and procedures for access, incident response, backup, device/media controls, and disposal.
• Contracts and BAAs, network diagrams, configuration baselines, and change records.
• Logs, prior risk assessments, audit findings, incident reports, and training records.

Validate through observation and interviews

• Walk through facilities to review workstation placement, badge controls, and media handling.
• Interview process owners to compare “policy vs. practice.”
• Run scans or reviews (e.g., vulnerability scans, configuration checks) to corroborate documentation.

Identify and Document Threats and Vulnerabilities

Differentiate between threats (things that could cause harm) and vulnerabilities (weaknesses that threats exploit). Document each pairing against the affected asset and ePHI process step.

Common threat categories

• Human: phishing, theft, misuse of privileges, vendor errors.
• Technical: ransomware, misconfigurations, unpatched software, insecure APIs.
• Physical/environmental: fire, water damage, power loss, device theft.
• Process: inadequate change control, improper disposal, weak onboarding/offboarding.

Typical vulnerabilities to record

• Missing encryption on laptops or removable media handling ePHI.
• Unsupported operating systems and delayed patch cycles.
• Shared accounts, weak authentication, or excessive privileges.
• Inadequate audit logging or log retention for ePHI systems.
• Unsecured server rooms, lax visitor controls, or poor workstation privacy.

Maintain a risk register with fields for asset, threat, vulnerability, predisposing conditions, existing controls, and notes. This establishes traceability and supports later prioritization.

Assess Current Security Measures

Evaluate how well existing controls reduce the likelihood or impact of identified threats. Rate their design (are they appropriate?) and operating effectiveness (are they consistently applied?).

Administrative safeguards

• Risk management program, security policies, workforce training, and sanction processes.
• Contingency planning: backup, disaster recovery, and emergency mode operations.
• Vendor risk management and BAAs covering ePHI handling.

Physical safeguards

• Facility access controls, visitor management, and media/device disposal.
• Workstation security: screen positioning, automatic locks, privacy screens.
• Environmental protections and equipment maintenance.

Technical safeguards

• Access controls: unique IDs, least privilege, MFA, and session timeouts.
• Encryption for ePHI at rest and in transit; key management practices.
• Audit controls, integrity checks, anti-malware, and endpoint protection.

Verification methods

• Evidence review: screenshots, logs, tickets, and reports demonstrating control operation.
• Technical testing: vulnerability scans, configuration reviews, and targeted penetration tests.
• Sampling: confirm controls across representative sites, systems, and user groups.

Determine Likelihood of Threat Occurrence

Perform a risk likelihood assessment for each threat–vulnerability pair. Use a calibrated scale (e.g., 1–5) and base ratings on evidence: exposure, exploitability, control strength, incident history, and threat actor capability.

How to rate likelihood consistently

• Very Low: Rare exposure, layered controls, no history.
• Low: Infrequent exposure, effective controls, few alerts.
• Moderate: Regular exposure or partial control coverage.
• High: Frequent exposure, known weaknesses, recent near-misses.
• Very High: Active exploitation trends and weak/absent controls.

Record your rationale beside the score so future reviewers understand why a likelihood value was chosen and what would decrease it.

Determine Potential Impact of Threat Occurrence

Next, perform a risk impact evaluation. Consider confidentiality, integrity, and availability of ePHI, plus operational, financial, legal, and reputational effects, including patient safety implications.

Impact factors and scale

• Confidentiality: volume and sensitivity of ePHI exposed.
• Integrity: risk of clinical decision errors or data tampering.
• Availability: downtime duration, backlogs, and patient care delays.
• Regulatory/financial: reporting obligations, penalties, remediation costs.

• Minor: Limited scope, quick recovery, minimal reporting.
• Moderate: Noticeable disruption, contained exposure, manageable remediation.
• Major: Large-scale exposure or prolonged outage affecting care delivery.
• Severe: Widespread impact with significant patient safety and regulatory consequences.

Determine Level of Risk

Combine likelihood and impact to calculate inherent and residual risk. A simple matrix (e.g., 1–5) or numerical product supports clear prioritization and helps you align with organizational risk appetite.

Prioritize and assign ownership

• Rank risks as High, Medium, or Low and define action thresholds (e.g., all High require immediate mitigation planning).
• Identify risk owners accountable for treatment decisions and implementation progress.
• Cluster related findings into initiatives to drive efficient remediation.

Use the prioritized list to plan risk mitigation strategies that target the most consequential exposures first while balancing resources and timelines.

Identify Security Measures and Finalize Documentation

Select and document the security measures that will reduce risk to a reasonable and appropriate level. Map each measure to administrative safeguards, physical safeguards, or technical safeguards and justify your choices.

Choose risk treatment options

• Mitigate: implement controls such as MFA, encryption, segmentation, enhanced logging, or privileged access management.
• Transfer: adjust contracts/insurance or move services to vetted providers.
• Avoid: retire high-risk processes or decommission vulnerable systems.
• Accept: formally acknowledge low residual risk with leadership approval.

Plan and track implementation

• Create a plan of action and milestones with owners, budgets, and target dates.
• Define success criteria and evidence required to validate completion.
• Incorporate training, change management, and monitoring to sustain gains.

Finalize and maintain documentation

• Risk analysis report: scope, methodology, asset inventory, findings, and ratings.
• Risk register and matrix, data flow diagrams, test results, and remediation plan.
• Approvals, distribution list, and a review schedule to keep content current.

Ongoing monitoring and updates

Establish continuous monitoring, metrics, and periodic reassessments tied to system changes, incidents, and audits. This ensures the assessment remains living guidance rather than a one-time exercise.

Conclusion

By scoping precisely, collecting solid evidence, rating likelihood and impact consistently, and executing targeted risk mitigation strategies, covered entities can manage ePHI risk responsibly. Comprehensive documentation and ongoing updates close the loop and demonstrate due diligence.

FAQs.

What are the key steps in conducting a HIPAA Security Risk Assessment?

Define scope; gather data on assets, data flows, and controls; identify threats and vulnerabilities; assess current administrative, physical, and technical safeguards; perform risk likelihood assessment; conduct risk impact evaluation; determine overall risk level; and select security measures while finalizing documentation and remediation plans.

How often should a HIPAA Security Risk Assessment be updated?

Update at least annually and whenever material changes occur—such as new systems handling ePHI, major workflow shifts (e.g., telehealth expansion), mergers, significant incidents, or regulatory updates. Continuous monitoring with interim reviews keeps ratings accurate between formal assessments.

What are common vulnerabilities found in HIPAA assessments?

Frequent issues include unencrypted laptops or media, unsupported operating systems, weak or shared accounts without MFA, misconfigured cloud storage, inadequate audit logging, delayed patches, poor device disposal, lax facility access controls, insecure medical devices, and inconsistent workforce training.

How do covered entities document their risk assessments?

They compile a risk analysis report with scope, methodology, inventories, findings, and ratings; maintain a risk register and matrix; include data flow diagrams and technical test results; attach policies, training records, and BAA evidence; and track remediation in a plan of action and milestones with leadership approvals and review schedules.