HIPAA Risk Assessment Requirements Checklist for 2025: Controls, Evidence, and Timelines

Mandatory Technology Asset Inventory

A complete, current inventory is the foundation of your HIPAA risk assessment. You need a single source of truth for every system that creates, receives, maintains, or transmits ePHI—including on‑prem, cloud, SaaS, medical devices, and third‑party connections.

Controls

• Centralized asset management (CMDB) with automated discovery for endpoints, servers, network gear, mobile, IoT, and clinical systems.
• Mandatory fields: owner, business unit, location, data classification, ePHI presence, criticality, backup method, recovery tier, and support model.
• Data flow mapping that traces ePHI from origin to storage, including cloud buckets, databases, and backup targets.
• Joiners-movers-leavers and change-management hooks to update the inventory when systems or roles change.
• Business associate tracking that links assets to relevant BAAs and services.

Evidence to retain

• CMDB export with timestamps; exception list for unmanaged or legacy assets.
• ePHI data flow diagrams and network topology maps aligned to clinical and billing workflows.
• Owner attestations confirming accuracy and encryption status per asset.
• Medical device lists with patching, segmentation, and support constraints noted.

Timelines and owners

• Baseline inventory before starting the 2025 assessment; reconcile monthly; owners attest quarterly.
• Update within five business days of new deployments, decommissions, or major configuration changes.
• Annual formal validation led by Security with sign‑off from Compliance and IT leadership.

Detailed Risk Analysis Procedures

Your 2025 risk analysis should be methodical, repeatable, and documented. Use a risk model that estimates likelihood and impact, accounts for existing controls, and results in prioritized treatment plans.

Controls

• Defined scope covering all systems with ePHI, supporting infrastructure, and business associates.
• Threat and vulnerability identification using inputs from scanning, change logs, incidents, and vendor advisories.
• Standardized scoring (e.g., ordinal scales) and a risk acceptance and exception process.
• Risk treatment options: mitigate, transfer, avoid, or accept with executive approval.

Evidence to retain

• Methodology document, risk register, and data sources used (scans, audits, diagrams, interviews).
• Control catalog mapped to HIPAA Security Rule safeguards and organizational policies.
• Remediation plans with owners, budgets, and milestones; exception approvals with expiry dates.
• Meeting notes and sign‑offs that show review by Security, Privacy, and business stakeholders.

Timelines and owners

• Enterprise risk analysis completed annually and whenever material changes occur (e.g., new EHR, cloud migration).
• High‑risk items assigned within five business days; target remediation start within 30 days.
• Quarterly risk review to validate progress and adjust priorities as threats evolve.

Encryption and Multi-Factor Authentication

Apply ePHI encryption standards consistently at rest and in transit, and enforce strong MFA wherever ePHI or privileged access is involved. Document decisions and exceptions to demonstrate a risk‑based approach.

Controls

• At rest: AES‑256 or equivalent, disk/database encryption, encrypted backups, and key custody in HSM or secure key vault.
• In transit: TLS 1.2+ with strong ciphers; mutual TLS or VPN for system‑to‑system flows.
• Key management: rotation, separation of duties, escrow procedures, and revocation processes.
• Multi‑factor authentication requirements: phishing‑resistant factors (e.g., security keys) for admins, remote access, EHR, email, and cloud consoles; step‑up MFA for high‑risk actions.
• Mobile and endpoint encryption with centralized compliance reporting and rapid wipe capability.

Evidence to retain

• Encryption policy; configuration screenshots; key rotation logs; certificate inventory with expiry dates.
• MFA enforcement exports from identity providers; conditional access rules; exception registers with compensating controls.
• Periodic validation results showing successful decryption tests, recovery drills, and cipher reviews.

Timelines and owners

• Encrypt new systems before production; remediate legacy gaps on a defined roadmap.
• Rotate keys per policy; renew certificates at least 30 days before expiry; review cipher suites annually.
• Quarterly audit of MFA coverage and enforcement; monthly exception review.

Vulnerability Scanning and Penetration Testing

Define clear vulnerability scanning protocols and penetration testing schedules to discover and fix weaknesses before they’re exploited. Calibrate frequency to exposure and criticality.

Controls

• Authenticated internal and external scans for servers, endpoints, containers, cloud images, and web apps.
• Change‑triggered scans after significant releases, new internet exposure, or major configuration shifts.
• Application security: SAST/DAST, software composition analysis, and container/CSPM checks.
• Pen testing: annual end‑to‑end testing for critical apps and networks, plus targeted tests after major changes; include segmentation and egress controls.
• Remediation SLAs aligned to risk (e.g., critical within 7–15 days; high within 30; medium within 60).

Evidence to retain

• Scan reports, authenticated coverage metrics, and false‑positive adjudication notes.
• Ticketing records linking findings to fixes; rescan proof of closure; executive summaries.
• Pen test rules of engagement, tester independence statement, final report, and data handling attestations.

Timelines and owners

• External attack surface scans weekly or monthly based on exposure; internal enterprise scans monthly.
• Web app scans each release for critical portals; container image scans on build and deploy.
• Penetration testing schedules each calendar year for Tier‑1 systems; additional tests post‑change.

Incident Response Planning and Testing

Your incident response plans must enable rapid detection, containment, investigation, recovery, and—when applicable—breach notification. Integrate security, privacy, legal, compliance, and clinical leadership.

Controls

• Documented roles, on‑call rotations, escalation paths, and decision authorities.
• Use‑case runbooks (e.g., ransomware, lost device, misdirected email, vendor compromise, insider misuse).
• Forensics and evidence handling procedures; secure logs and time sync across systems.
• Backup and recovery strategy with tested RTO/RPO by system criticality; isolation and rebuild playbooks.
• Communication templates for patients, partners, regulators, and media; integration with business continuity.

Evidence to retain

• IR policy and incident response plans; playbooks; contact rosters and after‑hours procedures.
• Exercise artifacts: tabletop agendas, injects, sign‑ins, findings, and after‑action reports with closed‑loop tracking.
• Incident tickets, timelines, forensic notes, and chain‑of‑custody records.

Timelines and owners

• Tabletop exercises at least annually for enterprise scope; targeted drills for high‑risk workflows each quarter.
• Time‑bound objectives: rapid triage and escalation within defined SLAs; recovery targets aligned to patient safety and operations.
• Post‑incident review within 10 business days to document lessons learned and control changes.

Annual Technical Safeguard Verification

Validate that technical safeguards operate effectively across your environment and with vendors. This is where you confirm that controls do what your policies say they do.

Controls

• Access control: unique IDs, least privilege, periodic access reviews, emergency access procedures, automatic logoff.
• Audit controls: centralized logging, retention, alerting, and periodic review of high‑risk events.
• Integrity controls: hashing, allow‑listing, EDR, and tamper protection for logs and critical files.
• Transmission security: enforced encryption for all ePHI data paths and interfaces.
• Business associate technical safeguard verification through due diligence, security questionnaires, and attestations.

Evidence to retain

• Annual verification checklist with tests performed, sample sizes, and results.
• Access review records and remediation of excessive privileges.
• Vendor artifacts (e.g., mappings, attestations) tied to the BAA and risk profile.
• Change logs showing defects discovered and fixes deployed.

Timelines and owners

• Complete verification annually; refresh control tests when major platform changes occur.
• Re‑verify vendor controls at onboarding and at least annually, or at contract renewal.
• Report outcomes to executive leadership with clear risk acceptance or funding decisions.

Documentation and Record Retention

Strong records make your program defensible. Define what to keep, where to keep it, how to prove authenticity, and how long to retain it to satisfy HIPAA documentation retention expectations.

Controls

• Enterprise retention schedule covering policies, procedures, risk analyses, risk management plans, training logs, BAAs, incident artifacts, and test results.
• Secure repository with versioning, approvals, timestamps, and restricted access.
• Indexing and search to quickly produce evidence for audits, investigations, or litigation holds.
• Quality checks to ensure records are complete, accurate, and traceable to specific controls.

Evidence to retain

• Current policy set with revision history and effective dates.
• Risk register snapshots, remediation trackers, and closure evidence.
• Scan and pen test reports, IR plans and exercise outputs, access reviews, and vendor due‑diligence files.
• BAA repository with service scope, data types, and contact information.

Timelines and owners

• Retain required HIPAA documentation for at least six years from creation or last effective date.
• Quarterly records audit to confirm completeness and access appropriateness.
• Immediate archival of evidence for significant incidents and major assessments.

Conclusion

This 2025 checklist aligns your HIPAA risk assessment to practical controls, auditable evidence, and clear timelines. By institutionalizing asset accuracy, rigorous analysis, strong crypto and MFA, disciplined testing, verified safeguards, and durable records, you can demonstrate due diligence and reduce risk to ePHI.

FAQs.

What are the mandatory elements of a HIPAA risk assessment in 2025?

You must identify where ePHI resides and flows, analyze threats and vulnerabilities, evaluate existing safeguards, determine risk levels, and document a prioritized treatment plan. Maintain evidence such as inventories, data flows, a risk register, and remediation tracking to show a consistent, repeatable process.

How often must HIPAA risk assessments be conducted?

Perform a comprehensive assessment at least annually and repeat it whenever significant changes occur, such as new clinical systems, major cloud moves, or mergers. Review risks quarterly to update status, adjust priorities, and address emerging threats.

What documentation is required to demonstrate HIPAA compliance?

Keep policies and procedures, the current risk analysis, the risk management plan, vulnerability and pen test results, access reviews, incident response plans and exercise outputs, BAAs and vendor due‑diligence artifacts, and approval records. Preserve each item per your retention schedule, with HIPAA documentation typically retained for a minimum of six years.

How soon must incident response plans restore systems after a breach?

HIPAA does not set a fixed restoration time. Define recovery time objectives (RTO) and recovery point objectives (RPO) by system criticality, document them in your incident response and continuity plans, and test to ensure you can meet them. Many organizations target hours—not days—for Tier‑1 clinical systems handling ePHI, with longer targets for less critical services.