HIPAA Information Security Risk Assessment Checklist: Requirements, Steps, and Examples

A HIPAA information security risk assessment helps you pinpoint where electronic protected health information (ePHI) could be exposed and what to do about it. Use this practical checklist to confirm requirements, follow a clear risk analysis methodology, and see concrete examples that translate rules into daily security work.

HIPAA Risk Assessment Requirements

Core regulatory obligations

• Conduct an accurate and thorough assessment of risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI (Security Rule risk analysis).
• Implement risk management processes to reduce risks to reasonable and appropriate levels, including a documented risk mitigation strategy.
• Evaluate security measures periodically and in response to environmental or operational changes.
• Maintain written policies, procedures, and compliance documentation; retain for the required period.
• Ensure business associate oversight and execute BAAs when ePHI is handled by vendors.

Safeguard categories to address

• Administrative safeguards: governance, policies, workforce training, sanctions, contingency planning, and vendor risk management.
• Physical safeguards: facility access controls, workstation security, device/media controls, and disposal procedures.
• Technical safeguards: access controls, authentication, audit controls, transmission security, and integrity protections.

Minimum elements of a defensible risk analysis methodology

• Defined scope covering all ePHI systems and data flows.
• Asset–threat–vulnerability mapping with likelihood and impact ratings.
• Risk scoring (qualitative or semi-quantitative) with inherent vs. residual risk.
• Documented decisions, owners, timelines, and verification steps.

Quick checklist

• List all ePHI repositories and transmissions.
• Map controls across administrative, physical, and technical safeguards.
• Record findings, decisions, and supporting evidence as compliance documentation.

Define Scope of ePHI

Inventory systems, data, and users

• Identify all locations where ePHI is created, received, maintained, or transmitted: EHRs, practice management, imaging, patient portals, billing, telehealth, mobile apps, cloud storage, backups, and vendor platforms.
• Catalog user groups and roles (clinicians, billing, IT, third parties) and the minimum necessary access each needs.
• Include endpoints and infrastructure: laptops, kiosks, IoT medical devices, servers, network segments, and remote access paths.

Map the ePHI data lifecycle

• Creation and capture: patient intake, devices, interfaces.
• Use and storage: EHR documentation, analytics, images, and local caches.
• Transmission: e-prescribing, claims clearinghouses, referrals, secure messaging.
• Retention and disposal: archives, legal holds, de-identification, media sanitization.

Example scoping notes

• Clinic uses a cloud EHR with MFA, scans paper forms to a shared drive, and syncs nightly to an encrypted backup appliance.
• Telehealth platform transmits ePHI to mobile devices; MDM enforces device encryption and remote wipe.
• Third-party billing vendor receives ePHI via SFTP; BAA on file; quarterly access reviews scheduled.

Quick checklist

• Create a current system inventory and data flow diagram for electronic protected health information.
• Identify all business associates and confirm BAAs.
• Document locations, owners, and access methods for each ePHI repository.

Identify and Analyze Risks

Use an asset–threat–vulnerability model

• Assets: EHR databases, imaging archives, APIs, endpoints, credentials.
• Threats: phishing, ransomware, insider misuse, lost devices, power failures, natural hazards.
• Vulnerabilities: unpatched systems, weak authentication, overprivileged accounts, open ports, lack of network segmentation, poor physical controls.

Rate likelihood and impact

Adopt clear scales (e.g., Low/Medium/High) and document the rationale. Consider volume and sensitivity of ePHI, regulatory exposure, patient safety, downtime costs, and reputational harm. Calculate inherent risk, propose controls, then estimate residual risk to guide priorities.

Example risk register entries

• Phishing leading to credential theft; vulnerability: no MFA on remote access; inherent risk: High; control: enable MFA and phishing-resistant authentication; residual risk: Medium; owner: IT Security.
• Ransomware on imaging workstations; vulnerability: outdated OS and local admin rights; controls: OS upgrades, application whitelisting, EDR, immutable backups; residual risk: Low; owner: Desktop Engineering.
• Unauthorized access in storage room; vulnerability: no badge logs or camera coverage; controls: badge readers, CCTV, visitor sign-in; residual risk: Medium; owner: Facilities.

Quick checklist

• Enumerate assets handling ePHI and the dependencies they rely on.
• Identify threats and vulnerabilities across administrative, physical, and technical safeguards.
• Score risks and record proposed mitigations with target residual risk.

Perform Gap Analysis

Compare current controls to required safeguards

• Administrative: policies, role-based access, workforce training, incident response, contingency planning, vendor oversight.
• Physical: facility access controls, workstation positioning, media tracking, secure disposal, environmental safeguards.
• Technical: unique IDs, MFA, automatic logoff, encryption in transit and at rest, audit logging and review, integrity controls, secure configurations.

Common vulnerabilities revealed by gap analyses

• Shared logins for clinical stations; inadequate access review cadence.
• No encryption at rest on legacy file shares containing ePHI.
• Missing or outdated BAAs for cloud or billing vendors.
• No centralized log management; audit trails not retained long enough.
• Insufficient termination procedures and device return checks.

Quick checklist

• Gather evidence: policies, configurations, screenshots, logs, training records.
• Rate control maturity and identify quick wins vs. strategic initiatives.
• Create a remediation backlog linked to specific rule requirements.

Develop and Implement Mitigation Measures

Build a risk mitigation strategy

• Decide per risk: mitigate, accept (with justification), transfer (e.g., insurance), or avoid (change process/technology).
• Define control owners, milestones, budget, and success metrics; align with business priorities and patient care needs.

Administrative safeguards: examples

• Policy refresh with attestation tracking; targeted security awareness focused on phishing and data handling.
• Access governance: least privilege, quarterly reviews, break-glass procedures with monitoring.
• Vendor risk management: due diligence questionnaires, security addenda, right-to-audit clauses.

Technical safeguards: examples

• Authentication and access control: MFA everywhere feasible, phishing-resistant methods for remote and privileged access.
• Data protection: TLS for all transmissions, full-disk encryption, database/volume encryption, email DLP for outbound PHI.
• Monitoring: centralized logging, SIEM alerts on anomalous access, EDR on endpoints, regular vulnerability scanning and patch SLAs.
• Network hygiene: segmentation of clinical devices, secure remote access, least-privilege service accounts, secure configurations.

Physical safeguards: examples

• Badge-based facility access with visitor management and camera coverage for sensitive areas.
• Workstation security: privacy screens, auto-lock timers, secured device carts.
• Media controls: inventory tracking, encrypted removable media, certified destruction.

Continuity and incident readiness

• Backups: encrypted, offline/immutable copies, routine restore testing meeting RTO/RPO targets.
• Incident response: runbooks for ransomware, lost device, and misdirected email; post-incident review feeding future assessments.

Quick checklist

• Map each high risk to specific administrative, technical, or physical controls.
• Set measurable outcomes (e.g., MFA coverage, patch compliance, restore success rate).
• Track progress and re-score residual risk after implementation.

Document Risk Assessment Process

What to capture

• Scope, methodology, participants, and assessment dates.
• System inventory and ePHI data flows with assumptions and constraints.
• Risk register with ratings, owners, mitigation plans, and status.
• Policies, procedures, training records, and evidence of control operation.
• Approvals by leadership and change history for version control.

Retention and organization

• Retain required documentation for six years from creation or last effective date.
• Use a consistent structure: executive summary, scope, risk analysis methodology, findings, mitigation roadmap, and appendices of evidence.

Example report outline

• Executive summary: key risks and recommended actions.
• Assessment details: scope, criteria, and tools used.
• Findings: top risks with business impact and suggested controls.
• Roadmap: prioritized initiatives, timelines, and ownership.
• Appendices: risk register, asset inventory, data flows, training logs.

Conduct Regular HIPAA Security Audits

Make audits part of continuous compliance

• Plan internal audits to verify that controls operate as designed and that residual risks stay within tolerance.
• Trigger ad hoc reviews after major changes: new EHR modules, cloud migrations, mergers, or significant incidents.
• Cover access reviews, vulnerability scans, penetration tests, log analysis, backup restores, and physical walkthroughs.

Reporting and improvement

• Report results to leadership with metrics and remediation status.
• Feed audit findings back into the risk register and training plans.
• Validate third-party security through assessments, attestations, or onsite reviews where appropriate.

Quick checklist

• Define an annual audit calendar with clear criteria and evidence requirements.
• Test a sample of controls in each safeguard category every cycle.
• Track corrective actions to closure and verify effectiveness.

Conclusion

This HIPAA Information Security Risk Assessment Checklist turns regulatory expectations into a repeatable program. By scoping ePHI thoroughly, applying a consistent risk analysis methodology, closing gaps with targeted safeguards, and documenting everything, you build a defensible posture that protects patients and sustains compliance.

FAQs.

What is the purpose of a HIPAA information security risk assessment?

The purpose is to identify where ePHI is at risk, evaluate the likelihood and impact of threats, and implement reasonable and appropriate administrative, physical, and technical safeguards to reduce risk to acceptable levels while maintaining patient care and business operations.

How often should HIPAA risk assessments be conducted?

Perform a comprehensive assessment at least annually and whenever significant changes occur—such as new systems, major upgrades, cloud migrations, mergers, or notable security incidents. Smaller, targeted assessments can run continuously to keep residual risk aligned with your tolerance.

What are common vulnerabilities in HIPAA risk assessments?

Typical gaps include missing MFA for remote or privileged access, shared or overprivileged accounts, unpatched systems, inadequate logging and log retention, insufficient vendor oversight or BAAs, lack of encryption at rest, weak device/ media controls, and incomplete workforce training on PHI handling.

What documentation is required for HIPAA risk assessment compliance?

You need written scope and methodology, an up-to-date asset and data flow inventory, a risk register with ratings and mitigation plans, evidence that controls operate effectively, policies and procedures, workforce training records, leadership approvals, and a record of audits and evaluations retained for the required period.