How to Conduct a HIPAA Risk Assessment for Small Healthcare Practices: Step-by-Step Checklist

A structured HIPAA risk assessment helps your small practice safeguard electronic protected health information (ePHI), meet regulatory expectations, and strengthen patient trust. This step-by-step checklist walks you through a practical risk management framework you can complete with limited time and budget—without cutting corners.

Work through each section in order, capture decisions as you go, and keep evidence. By the end, you will have a defensible assessment, prioritized remediation plan, and ongoing improvement cycle.

Designate a Compliance Officer

Responsibilities

• Own the HIPAA risk assessment end to end, ensuring scope, schedule, and quality.
• Coordinate input from clinical, front office, IT support, and billing.
• Maintain the risk register, track mitigation strategies, and report status to leadership.
• Ensure workforce training, policy upkeep, and incident response are aligned with findings.

Selection and Authority

Choose a manager or senior staff member who understands operations and can make decisions. Grant authority to request records, assign tasks, and escalate issues. If you use third-party IT, include them in planning but keep accountability in-house.

Kickoff Checklist

• Define scope: locations, systems, vendors, and data types (with emphasis on ePHI).
• Set a timeline with milestones, owners, and deliverables.
• Create a centralized workspace for evidence and version-controlled documents.

Inventory Systems and Data Flows

Build an Asset Inventory

• Systems: EHR/PM, imaging, lab portals, patient portal, telehealth, email, backups, file servers, cloud storage.
• Devices: desktops, laptops, tablets, smartphones, scanners, copiers, badge printers, network gear.
• Data stores: databases, shared folders, removable media, archives, and offsite backups.
• Vendors/business associates: billing, clearinghouses, IT providers; note BAA status and services.

Map Data Flows

• Trace how ePHI is collected, used, transmitted, stored, and disposed (data lifecycle).
• Identify workflows like intake, scheduling, referrals, lab results, and patient communications.
• Document transmission channels: secure messaging, portals, email, SFTP, APIs, fax, and paper transitions.

Output: an up-to-date system inventory and simple data-flow diagrams that show where ePHI resides and travels. These become the backbone of your vulnerability assessment.

Assess Threats and Vulnerabilities

Differentiate Threats vs. Vulnerabilities

• Threats are potential adverse events (e.g., theft, ransomware, insider error, power loss).
• Vulnerabilities are the weaknesses threats can exploit (e.g., weak passwords, unpatched systems, propped doors).

Identify Categories

• Human: phishing, misdirected emails, improper disposal of media.
• Technical: outdated software, open ports, misconfigured access, lack of encryption.
• Physical/environmental: unlocked areas, tailgating, water damage, power failures.
• Process/policy: missing procedures, inadequate training, incomplete BAAs.

Methods to Use

• Conduct interviews and walk-throughs to observe real workflows.
• Review logs, access lists, configuration baselines, and backup reports.
• Perform a lightweight vulnerability assessment: patch status review, credential policy checks, and basic network exposure analysis.

Evaluate Existing Safeguards

Administrative Safeguards

• Policies: access management, minimum necessary, incident response, data retention/disposal, sanction policy.
• Training: onboarding and annual refreshers that cover phishing, secure messaging, and device care.
• Vendor risk: executed BAAs, service descriptions, and security attestations where available.

Physical Safeguards

• Facility controls: locked doors, visitor logs, camera coverage, and workstation placement away from public view.
• Device protections: cable locks, secure storage for laptops/media, privacy screens, and clean-desk practices.
• Environmental: surge protection, battery backups, and secure records disposal containers.

Technical Safeguards

• Access controls: unique user IDs, strong passwords, multi-factor authentication for remote and portal access.
• Audit controls: enable logging on EHR, file shares, and key systems; review alerts.
• Integrity and transmission security: encryption at rest and in transit; verified backups with periodic restore tests.
• Maintenance: timely patching, anti-malware, endpoint hardening, and mobile device management.

Document which administrative, physical, and technical safeguards are implemented, partially implemented, or missing. Note evidence and owners.

Determine Likelihood and Impact

Score Each Risk

• Likelihood (1–5): probability a threat will exploit a vulnerability within the next year.
• Impact (1–5): potential harm to confidentiality, integrity, and availability of ePHI, plus operational and financial impact.
• Risk rating: Likelihood × Impact (range 1–25). Use this simple risk management framework to prioritize.

Practical Examples

• Unencrypted laptop used offsite: Likelihood 4 × Impact 5 = 20 (High).
• MFA not enabled on email accounts: Likelihood 3 × Impact 5 = 15 (High).
• Paper charts stored in locked room with visitor log: Likelihood 2 × Impact 3 = 6 (Moderate).

Capture rationale for each score. Transparent reasoning makes your assessment defensible and repeatable.

Develop a Remediation Plan

Prioritize and Plan

• Address High risks first, then Moderate, then Low; consider quick wins that materially reduce exposure.
• Choose a treatment path per risk: mitigate, avoid, transfer, or accept—with documented justification.
• Create a remediation roadmap with phases, resource estimates, and budget alignment.

Plan Components to Record

• Specific mitigation strategies and control improvements to implement.
• Task owner, start and due dates, dependencies, and success criteria.
• Required policy updates and training changes tied to each control.

Implement Mitigation Strategies

Technical Controls Quick Wins

• Enable MFA on email, remote access, and administrative accounts.
• Encrypt all laptops and mobile devices; enforce automatic screen lock and inactivity timeout.
• Standardize patching cadence; remove unsupported software; restrict local admin rights.
• Harden backups: follow a 3-2-1 approach, encrypt, and test restores quarterly.
• Segment networks (guest vs. clinical) and enforce least-privilege access.

Process and People Improvements

• Update policies to match practice reality; include sanction enforcement and exceptions handling.
• Deliver focused training on phishing, secure referrals, and handling misdirected ePHI.
• Tighten vendor oversight: verify BAAs, define breach reporting timelines, and review security obligations.

Change Management

• Pilot changes with a small user group, gather feedback, and adjust rollout plans.
• Record configuration baselines before/after; update diagrams and inventories post-implementation.

Document Findings and Actions

What to Capture

• Scope, methodology, and the current asset and data-flow inventory.
• Risk register with scores, rationale, and selected treatments.
• Remediation plan, status updates, and residual risk after controls are applied.

Evidence to Keep

• Policy versions, training rosters, BAA records, configuration screenshots, and backup restore logs.
• Incident reports and lessons learned that informed control changes.

Maintain a clear audit trail. Use simple naming conventions and versioning so reviewers can follow the story from risk discovery to mitigation.

Review and Update Regularly

Cadence and Triggers

• Perform a formal review at least annually.
• Reassess after significant changes: new EHR, telehealth rollout, mergers, new locations, or material incidents.
• Monitor for emerging threats and regulatory updates; adjust scores and plans as needed.

Measure and Improve

• Track metrics: percent of High risks mitigated, time-to-close actions, training completion, and restore success rate.
• Hold brief post-implementation reviews to verify controls work and update residual risk.

Conclusion

By designating ownership, mapping ePHI, evaluating safeguards, and scoring risks within a straightforward risk management framework, your practice can focus resources where they matter most. Strong documentation and periodic updates turn a one-time project into an ongoing protection program.

FAQs.

What is the purpose of a HIPAA risk assessment?

The purpose is to identify how ePHI could be exposed, determine the likelihood and impact of those events, and select appropriate administrative, physical, and technical safeguards. It guides informed decisions, prioritizes remediation, and produces documentation that demonstrates due diligence.

How often should small healthcare practices perform risk assessments?

Complete a full assessment at least annually, and update it whenever there are significant changes—such as new systems, new vendors, workflow shifts, security incidents, or location expansions. Interim reviews keep scores current and ensure mitigation strategies remain effective.

What are common vulnerabilities in small healthcare practices?

Typical gaps include missing MFA, weak passwords, unencrypted laptops, outdated software, shared user accounts, incomplete BAAs, inadequate staff training, unlocked work areas, and untested backups. Many arise from well-intentioned workarounds, which a focused vulnerability assessment will uncover.

How can small practices document their HIPAA compliance efforts?

Maintain a risk register, inventory, data-flow maps, policies, training logs, BAA files, configuration evidence, and remediation status reports. Tie each mitigation to a specific risk and keep versioned records so auditors can trace findings to actions and verify ongoing compliance.