How to Conduct a HIPAA Risk Assessment for Your Chiropractic Practice (Step-by-Step Guide + Checklist)

A HIPAA risk assessment helps you systematically find where Protected Health Information (PHI) lives in your chiropractic practice, how it could be exposed, and what to do to reduce the chance and impact of a breach. This step-by-step guide and checklist are tailored to small and mid-sized chiropractic teams and the vendors they rely on.

This material is for general information to help you improve compliance and security and is not legal advice.

Define Assessment Scope and Identify PHI

Start by drawing clear boundaries for the assessment. List every place PHI is created, received, maintained, or transmitted across your practice: EHR, billing and clearinghouses, x‑ray or imaging systems, patient intake forms, email and texting tools, patient portals, backup systems, and paper records. Include all locations (clinic, satellite office, home/remote work) and all people who handle PHI (front desk, chiropractors, assistants, billing staff, interns, contractors).

Identify specific PHI elements (names, dates of birth, addresses, treatment notes, imaging, insurance data, appointment information) and map data flows for common processes, from new patient intake to record retention or disposal. Record where PHI is stored (e.g., encrypted laptop, server, locked cabinet), how long it’s retained, and who can access it. Designate a HIPAA Security Officer to own this process and apply the minimum necessary standard throughout.

Checklist

• Appoint a HIPAA Security Officer with authority to coordinate the risk assessment.
• List in-scope facilities, systems, devices, applications, and media that create, receive, maintain, or transmit PHI/ePHI.
• Map PHI data flows for intake, treatment, billing, referrals, patient communications, and record retention/disposal.
• Catalog storage locations (EHR, imaging, cloud drives, paper files, backups, mobile devices).
• Identify all business associates and verify active Business Associate Agreements (BAAs).
• Define retention periods and the minimum necessary PHI for each workflow.

Identify Threats and Vulnerabilities

List realistic threats that could exploit weaknesses in your environment. Consider human error (misaddressed emails, improper disclosure at the front desk), malicious activity (phishing, ransomware, theft), technical failures (server crashes, misconfigurations), and environmental hazards (fire, flood, power loss). Include vendor-related events such as an EHR outage or a billing company incident.

Document vulnerabilities that increase risk: shared logins, weak or reused passwords, lack of multi-factor authentication (MFA), unencrypted devices, unlocked file cabinets, unattended printers, misdirected faxes, auto-forwarded emails, outdated operating systems, public Wi‑Fi used for ePHI, and inadequate disposal of paper or media. Capture telehealth and texting risks, especially if personal devices are involved.

Checklist

• Brainstorm threats across categories: human, technical, physical, and environmental.
• Identify vulnerabilities in access control, device security, software patching, and process controls.
• Evaluate front-office exposures (sign-in sheets, overheard conversations, visitor access).
• Include vendor-specific threats and gaps tied to each BAA-covered service.
• Note past incidents or near-misses to inform realistic scenarios.

Evaluate Security Safeguards

Compare your current controls to HIPAA’s Administrative, Physical, and Technical Safeguards. For each safeguard, note what exists, evidence of operation (e.g., training logs, audit reports), where it falls short, and what is reasonable and appropriate for your practice’s size and complexity.

Administrative Safeguards

• Assigned security responsibility: a named HIPAA Security Officer with documented duties.
• Risk management program: written policies, procedures, and a recurring assessment cycle.
• Workforce security and training: onboarding, annual refreshers, phishing awareness, and a sanction policy.
• Information access management: role-based access, authorization processes, and timely termination procedures.
• Contingency planning: data backup, disaster recovery, and emergency operations with periodic testing.
• Incident response and Breach Notification Procedures: defined steps, decision criteria, and communication templates.
• Vendor management: due diligence and current Business Associate Agreements (BAAs) with all applicable vendors.
• Periodic evaluations: scheduled audits to verify safeguards remain effective.

Physical Safeguards

• Facility access controls: keys/badges, visitor logs, and after-hours restrictions.
• Workstation security: auto-locks, privacy screens for reception, and screen positioning out of public view.
• Device and media controls: asset inventory, secure storage, and documented disposal/destruction.
• Environmental protections: surge protection, locked network closets, and safe placement of networking gear.

Technical Safeguards

• Access controls: unique user IDs, least privilege, MFA for remote/email/EHR access, and automatic logoff.
• Audit controls: enabled logging on EHR and key systems with periodic reviews.
• Integrity and authentication: change monitoring, tamper-evident records, and verified data sources.
• Transmission security: TLS-encrypted email or secure messaging, VPN for remote access, and encrypted portals.
• Encryption at rest: full-disk encryption on laptops and mobile devices; encrypted backups.
• Endpoint protection and patching: anti-malware/EDR and timely OS/application updates.

Prioritize and Assess Risks

Rate each threat–vulnerability scenario by likelihood and impact using a simple 1–5 scale. Multiply to get an initial risk score, then factor in existing safeguards to estimate residual risk. Define thresholds (e.g., 15–25 high, 8–14 medium, 1–7 low) and focus first on high and medium risks that materially affect confidentiality, integrity, or availability of PHI.

Build a risk register capturing the asset/process at risk, threat, vulnerability, affected PHI, existing controls, likelihood, impact, residual risk, recommended mitigation, owner, budget estimate, and target date. This creates a traceable foundation for decisions and progress tracking.

Checklist

• Select a consistent scoring model and define high/medium/low thresholds.
• Calculate inherent and residual risk for each scenario.
• Record risks in a centralized risk register tied to evidence.
• Assign risk owners and due dates aligned to business priorities.
• Escalate any high risks to leadership for immediate action.

Implement Risk Mitigation Strategies

Choose a treatment strategy for each risk: reduce (add controls), transfer (insurance or contract terms), avoid (change the workflow), or accept (with justification). Sequence work so you deliver quick wins fast while planning larger improvements that need budget or vendor involvement.

Typical quick wins include enabling MFA, enforcing strong passwords, encrypting laptops, locking file cabinets and network closets, shredding paper PHI promptly, disabling risky “scan to personal email,” and moving patient messaging to secure tools. Longer-term efforts might add mobile device management, network segmentation, centralized logging, tested backups, and updated BAAs with clearer security obligations.

30/60/90-Day Action Plan

• Days 1–30: Turn on MFA, full-disk encryption, and automatic screen locks; collect BAAs; deploy phishing-resistant training; secure physical storage; update breach response checklist.
• Days 31–60: Patch backlog reduction, EDR rollout, role-based access review, backup verification and restore test, reception privacy improvements, terminate stale accounts.
• Days 61–90: Vendor due diligence reviews, MDM for mobile devices, network hardening and segmentation, audit log review cadence, documented contingency plan test and lessons learned.

Document Risk Assessment Process

Create a written report that explains your method, scope, inventory, threats, vulnerabilities, safeguard evaluation, risk ratings, and chosen mitigations. Attach supporting evidence such as policies and procedures, training rosters, screenshots of controls, access reviews, backup test results, and the active list of Business Associate Agreements (BAAs). Obtain sign-off from the HIPAA Security Officer and leadership, and maintain version history.

Keep documentation organized and accessible for audits and for your own operational continuity. Update it as you complete actions so your risk register, policies, and procedures reflect the current state. Retain required HIPAA documentation for the mandated period.

Documentation Checklist

• Written methodology, scope statement, and data flow diagrams.
• Asset inventory for PHI/ePHI and storage/retention details.
• Threats, vulnerabilities, safeguard evaluations, and evidence of operation.
• Risk register with scores, owners, treatment decisions, and timelines.
• Policies and procedures, workforce training records, sanction logs.
• Contingency plan, backup/restore test results, and incident/breach response playbooks.
• Current BAAs and vendor due diligence records.
• Sign-offs by the HIPAA Security Officer and leadership with revision history.

Review and Update HIPAA Compliance Regularly

Reassess at least annually and whenever your environment changes—new EHR or imaging system, office relocation, telehealth adoption, major software updates, staffing changes, or any security incident. Use metrics to stay proactive: training completion rates, time to terminate access for departing staff, patch timelines, backup success and restore times, audit log review cadence, and BAA currency.

Schedule internal mini-audits each quarter to verify Administrative Safeguards, Physical Safeguards, and Technical Safeguards are still operating effectively. Run table-top exercises for incident response and Breach Notification Procedures, and track corrective actions to closure with due dates and owners.

Summary and Next Steps

Your chiropractic practice can meet HIPAA expectations by defining scope and PHI, identifying realistic threats and vulnerabilities, evaluating safeguards, ranking risks, executing a prioritized mitigation plan, and documenting everything. Keep the cycle active with regular reviews so controls evolve with your operations and vendor ecosystem.

FAQs

What are the key steps in a HIPAA risk assessment?

Define the assessment scope and where PHI/ePHI resides; identify threats and vulnerabilities; evaluate Administrative, Physical, and Technical Safeguards; prioritize risks using likelihood and impact; implement mitigation strategies (reduce, transfer, avoid, or accept with justification); document the entire process with evidence; and review and update the assessment on a regular cadence.

How often should chiropractors update their risk assessments?

Perform a full review at least annually and whenever significant changes occur—new systems or vendors, new locations, major software updates, staffing changes, or after any incident. Interim mini-assessments help verify that safeguards remain effective and that BAAs, training, and Breach Notification Procedures are current.

What administrative safeguards are required for chiropractic practices?

Key Administrative Safeguards include appointing a HIPAA Security Officer; documented policies and procedures; workforce security and ongoing training with a sanction policy; risk management and periodic evaluations; information access management with timely termination; contingency planning for backups and disaster recovery; incident response and Breach Notification Procedures; and vendor management with up-to-date Business Associate Agreements (BAAs).

How should a breach be reported under HIPAA regulations?

Immediately escalate to the HIPAA Security Officer, contain the incident, and conduct a risk assessment to determine if PHI was compromised. If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days from discovery, and include required content in the notice. For breaches affecting 500 or more residents of a state or jurisdiction, also notify prominent media and report to HHS within 60 days; for fewer than 500, log and submit to HHS no later than 60 days after the end of the calendar year. Ensure any business associate notifies your practice per the BAA, document actions taken, and retain records as required.