Houston, Texas HIPAA Security Risk Assessment Checklist and Compliance Requirements

Use this Houston, Texas HIPAA Security Risk Assessment Checklist to methodically analyze how your organization creates, receives, maintains, or transmits ePHI. Following these steps strengthens HIPAA Security Rule compliance, reduces breach risk, and prepares you for audits and local hazards common to the Gulf Coast.

Inventory of ePHI Assets

Start with a complete ePHI asset inventory. Catalog every system, device, application, data store, and workflow that touches ePHI—on‑premises, cloud, and hybrid—to define the scope of risk analysis.

• Systems and apps: EHR/EMR, billing, patient portals, telehealth, imaging, lab, scheduling, email.
• Data stores: databases, file shares, backups, archives, removable media, cloud buckets, SaaS exports.
• Endpoints and devices: servers, workstations, laptops, tablets, smartphones, and networked medical devices.
• Network components: firewalls, switches, wireless controllers, VPNs, remote access gateways.
• Third parties: clearinghouses, cloud and MSP vendors, telehealth platforms, billing services with BAAs.
• Locations: clinics, data centers, cloud regions, home offices, and off‑site backup locations.
• Data flows: map how ePHI is collected, stored, transmitted, and disposed of across internal and external paths.

Record owners, business purpose, data classification, volume of ePHI, retention, and criticality for each asset. Keep the inventory current through change management so risk analysis documentation always reflects reality.

Identify Potential Threats and Vulnerabilities

List credible threats and the vulnerabilities they could exploit. Consider cyber, physical, human, and environmental factors relevant to Houston, including hurricanes, flooding, power loss, and heat events.

• Cyber threats: ransomware, phishing, credential stuffing, web app exploits, supply‑chain attacks.
• Internal risks: unauthorized access, privilege misuse, errors, and inadequate segregation of duties.
• Technical weaknesses: unpatched systems, legacy OS, weak authentication, misconfigured cloud storage.
• Physical risks: device theft, improper media disposal, tailgating, water damage, and HVAC failures.
• Process gaps: missing procedures, inconsistent training, lack of MDM, and incomplete BAAs.
• Vendor risks: service outages, subcontractors, or unclear data handling by business associates.

Tie each threat to specific vulnerabilities such as absent MFA, open remote services, missing encryption, inadequate logging, or insufficient backups. This linkage drives focused mitigation strategies.

Determine Likelihood and Impact of Threats

Use a consistent model to rate risk. A simple approach scores likelihood (1–5) and impact (1–5) across confidentiality, integrity, and availability; multiply to derive a risk rating and set thresholds for action.

• Define qualitative criteria for each score so ratings are repeatable and auditable.
• Incorporate local history (e.g., storm‑related outages), control maturity, and current threat intelligence.
• Assess operational downtime, patient safety implications, regulatory exposure, and reputational harm.
• Document assumptions and evidence used to support every rating in the risk analysis documentation.

Example: an unencrypted laptop used off‑site may have medium likelihood but high impact, resulting in a high overall risk that demands expedited remediation.

Evaluate Existing Security Measures

Assess how well current administrative, technical, and physical safeguards prevent or detect each risk. Verify that controls are implemented, effective, and enforced—not just written in policy.

• Administrative safeguards: risk management plan, assigned security responsibility, workforce training, sanctions, access authorization, incident response, contingency planning, vendor management with BAAs.
• Technical safeguards: unique IDs, MFA, role‑based access, encryption in transit and at rest, automatic logoff, audit logging and review, integrity controls, anti‑malware/EDR, patching, vulnerability scanning, secure configurations, network segmentation.
• Physical safeguards: facility access controls, visitor logs, workstation security, device/media controls, secure disposal, environmental protections, and equipment maintenance records.

Note residual gaps such as partial MFA coverage, inconsistent log reviews, inadequate backup testing, or missing secure disposal procedures.

Document Findings and Develop a Remediation Plan

Compile formal risk analysis documentation and a risk register. For each item, capture the business context and the specific weaknesses that threaten ePHI.

• Asset/process and data involved, mapped to the ePHI asset inventory.
• Threat and vulnerability description with evidence.
• Likelihood, impact, and risk score with rationale.
• Existing controls and identified gaps.
• Mitigation strategies, success criteria, and planned security measures.
• Owner, dependencies, budget, and target dates.
• Residual risk and acceptance/transfer/escalation decisions with leadership approval.

Prioritize by risk: resolve critical items within 30 days, high within 90 days, medium within 180 days, and monitor or accept low risks with justification. Update the plan as tasks complete and risks change.

Implement Security Measures

Execute remediation with clear milestones, adequate resourcing, and verification. Focus on controls that most reduce risk to ePHI while supporting patient care and operations.

• Access management: enforce MFA, unique user IDs, least privilege, periodic access recertification.
• Encryption: TLS for data in transit; FDE/database/file‑level encryption for data at rest; strong key management.
• Session and endpoint security: automatic logoff, EDR/anti‑malware, hardening baselines, MDM with remote wipe.
• Monitoring: centralize audit logs, create alerts for anomalous activity, and review logs routinely.
• Patch/vulnerability management: defined cadence, emergency patching, continuous scanning, and remediation SLAs.
• Email and web security: phishing protection, attachment sandboxing, and DMARC/SPF/DKIM alignment.
• Backups and resilience: 3‑2‑1 strategy, immutable/offline copies, routine restore tests, and alternate communications.
• Network protections: segmentation, least‑open firewall rules, restricted remote access, and secure VPN.
• Physical safeguards: controlled areas, locked server rooms, visitor procedures, and secure media disposal.
• Workforce readiness: role‑based training, phishing simulations, incident reporting channels, and drills.
• Vendor oversight: current BAAs, due diligence, minimum security requirements, and continuous monitoring.

In Houston, ensure disaster recovery plans address hurricanes and flooding with out‑of‑region backups, power continuity, and communication contingencies.

Maintain Documentation

Maintain complete, organized records to demonstrate HIPAA Security Rule compliance. Keep documents current, approved by your security official, and readily retrievable for audits or investigations.

• Policies and procedures covering administrative, technical, and physical safeguards.
• ePHI asset inventory and data flow diagrams.
• Risk analysis documentation, risk register, and the risk management (remediation) plan.
• Training curricula, attendance, and acknowledgments; sanctions where applicable.
• System activity review records, access logs, security event reports, and incident response files.
• Contingency plans, backup/restore logs, DR test results, and tabletop exercise notes.
• Vendor due diligence, BAAs, security attestations, and monitoring reports.
• Change management records, configuration baselines, and encryption/key management evidence.

Retain required documentation for at least six years from the date of creation or last effective date. Use version control and maintain a master index so auditors can trace controls to specific risks and safeguards.

Conduct Regular Reviews and Updates

Treat risk analysis as a continuous program, not a one‑time project. Reassess at least annually and whenever you introduce major changes such as a new EHR, cloud migration, mergers, telehealth expansion, or a significant incident.

• Run quarterly vulnerability scans and at least annual penetration testing with remediation tracking.
• Review access monthly for high‑risk systems and quarterly elsewhere; remove orphaned accounts promptly.
• Monitor and tune alerts; verify timely log reviews and incident response drills.
• Test backups and disaster recovery regularly; conduct hurricane‑season tabletop exercises.
• Reevaluate vendor risks and BAAs annually and upon service changes.
• Track metrics such as MFA coverage, patch timelines, phishing click rates, encryption coverage, and restore success rates.

For the Houston area, emphasize power resilience, flood barriers, and off‑site redundancy outside the region. A living risk program keeps your safeguards aligned with emerging threats and operational realities, sustaining compliance and protecting patients’ ePHI.

FAQs

What are the key steps in a HIPAA Security Risk Assessment?

Define scope and build an ePHI asset inventory; identify threats and vulnerabilities; rate likelihood and impact to calculate risk; evaluate administrative, technical, and physical safeguards; document findings in a risk register; develop mitigation strategies and a remediation plan; implement controls; and continuously monitor, review, and update.

How often should HIPAA risk assessments be updated?

Update at least annually and whenever there are significant environmental, technical, or organizational changes—such as new systems, cloud adoption, major upgrades, vendor changes, relocations, or after security incidents. High‑risk environments may require more frequent targeted reviews.

What documentation is required for HIPAA Security Rule compliance?

Maintain policies and procedures; ePHI asset inventory and data flows; risk analysis documentation and the risk management plan; training records; system activity review and audit logs; incident and breach response records; contingency plans and test results; vendor due diligence and BAAs; change management and configuration documentation; and evidence of encryption and key management, retained for at least six years.