How to Do a HIPAA Risk Assessment for Health Coaches: Step-by-Step Guide + Checklist

Define Scope of ePHI Systems

Start by defining what’s in scope under the HIPAA Security Rule. List every place your practice creates, receives, maintains, or transmits electronic Protected Health Information (ePHI), and draw clear boundaries around those systems, people, and workflows.

What to include

• People: you, assistants, contractors, and any Business Associates (billing, EHR, telehealth, transcription).
• Technology: laptops, smartphones, tablets, external drives, EHR/CRM, scheduling, secure messaging, telehealth, email, cloud storage, form intakes, backups.
• Networks and locations: office and home Wi‑Fi, VPNs, routers, guest networks, co‑working spaces, client locations, travel scenarios.
• Data flows: where ePHI originates, where it moves, where it rests, who touches it, and with which apps or vendors.

Deliverables

• Scope statement and in/out‑of‑scope list.
• Asset and data‑flow inventory.
• Business Associate roster with BAA status.

Checklist

• Catalog all ePHI systems and storage locations.
• Map data flows from collection to archival or disposal.
• Identify all users and third‑party vendors touching ePHI.
• Note environments with mixed personal/professional use (e.g., home devices).

Collect Administrative and Technical Safeguards Information

Gather evidence of existing administrative safeguards and technical safeguards. You’ll use this baseline to evaluate control strength, gaps, and needed risk mitigation strategies.

Administrative safeguards (what to gather)

• Policies and procedures (access authorization, minimum necessary, incident response, sanction policy).
• Workforce security: onboarding/offboarding checklists, role definitions, security awareness and phishing training records.
• Contingency planning: backup, disaster recovery, emergency operations, test results.
• Vendor due diligence: BAAs, security questionnaires, SOC reports or attestations (if available).
• Change management and device lifecycle: procurement, configuration standards, disposal/shredding.

Technical safeguards (what to gather)

• Access controls: unique IDs, least privilege, role‑based rules, multi‑factor authentication (MFA), automatic logoff.
• Encryption: at rest on devices and in transit for email, portals, messaging, and backups.
• Audit controls: logging, log retention, and review cadence for systems handling ePHI.
• Integrity protections: checksums/versioning, restricted editing, secure backups.
• Endpoint and patch management: OS/app updates, anti‑malware, mobile device management (MDM), remote wipe.
• Network security: firewall configuration, secure DNS, secure Wi‑Fi, VPN for public networks.

Also capture related physical safeguards

• Screen privacy, device lock/storage, clean desk, visitor controls, and secure document disposal.

Checklist

• Export policy set and verify last review dates.
• Pull training logs and completion rates.
• List all access controls and MFA coverage by system.
• Document encryption status for devices, email, messaging, and backups.
• Record logging locations, retention, and review cadence.

Identify Threats and Vulnerabilities

Enumerate realistic threats to your practice and the vulnerabilities they could exploit. Focus on how ePHI could be exposed, altered, or become unavailable.

Common threat sources

• Lost or stolen devices; theft from vehicles or gyms.
• Phishing, credential stuffing, and social engineering.
• Misconfigurations in cloud drives or form tools (oversharing links, public folders).
• Ransomware and other malware delivered via email or downloads.
• Insecure texting or email, public Wi‑Fi, home network weaknesses.
• Vendor outages, data mishandling, or BAA gaps.

Typical vulnerabilities in coaching workflows

• Shared logins or weak passwords; MFA not enabled.
• Unencrypted devices or backups; lack of remote wipe.
• Using personal email or SMS for ePHI; auto‑forwarding to noncompliant inboxes.
• Unpatched software; unsupported operating systems.
• Informal data transfers (USB drives) or mixing client files with personal cloud folders.

Build risk scenarios

• “Phone with client notes is stolen; device lacks passcode and encryption.”
• “Assistant falls for phishing; attacker sets inbox forwarding for ePHI.”
• “Cloud folder shared ‘Anyone with the link’; client assessment exports exposed.”

Checklist

• List at least 10 threats relevant to your systems and context.
• Map each threat to one or more specific vulnerabilities.
• Create concise risk scenarios describing actor, asset, and impact.

Assess Likelihood and Impact of Risks

Score each scenario for likelihood and impact, then calculate overall risk (Risk = Likelihood × Impact). Use simple 1–5 scales to keep ratings consistent and repeatable.

Scoring tips

• Likelihood: exposure to the threat, ease of exploitation, existing control strength, detectability.
• Impact: volume/sensitivity of ePHI, legal/regulatory consequences, financial loss, client trust, operational downtime.
• Define thresholds for Low/Medium/High to drive action without debate.

Worked example

• Scenario: stolen, unencrypted phone with client messages.
• Likelihood: 4 (frequent travel; no MDM/MFA on messaging app).
• Impact: 5 (direct ePHI exposure and notification obligations).
• Risk score: 20 → High; requires immediate mitigation.

Checklist

• Adopt a single scoring rubric and apply it across all scenarios.
• Produce a prioritized risk register with owners and timelines.
• Highlight “High” risks needing short‑term controls and “Quick Wins.”

Implement Risk Mitigation Measures

Select risk mitigation strategies that reduce likelihood and/or impact, starting with High risks. Balance administrative safeguards (policies, training, procedures) with technical safeguards (access controls, encryption, monitoring).

Quick wins (next 30 days)

• Enable MFA and unique logins on all ePHI systems; remove shared accounts.
• Encrypt all devices and backups; require strong screen locks and auto‑lock.
• Move ePHI conversations to a secure portal or compliant messaging platform; disable SMS for ePHI.
• Patch devices and critical apps; uninstall unused software and extensions.
• Implement password manager and minimum standards (length, uniqueness).

Planned improvements (60–180 days)

• Deploy MDM for remote wipe, configuration baselines, and inventory.
• Formalize incident response and contingency plans with tabletop tests.
• Centralize logging and set a monthly review cadence.
• Segment home/office networks; use a VPN on public Wi‑Fi.
• Complete vendor risk reviews and execute or update BAAs.

Risk treatment decisions

• Reduce: implement controls to lower the score.
• Accept: document rationale for low, residual risks.
• Transfer: obtain cyber liability insurance where appropriate.
• Avoid: discontinue high‑risk processes or tools.

Checklist

• For each High/Medium risk, select controls, owners, and due dates.
• Record residual risk after mitigation and planned review date.
• Track completion and verify controls are operating as intended.

Document and Review Risk Assessment

Create thorough risk assessment documentation that shows your methodology, findings, and decisions. Good records demonstrate due diligence and support continuous improvement.

What to include in your report

• Scope statement, asset inventory, and data‑flow diagrams.
• Methodology, scoring rubric, and assumptions.
• Threats, vulnerabilities, and risk scenarios with scores.
• Selected controls, implementation plan, owners, and timelines.
• Residual risk, acceptance decisions, and management sign‑off.
• Appendices: policies, training evidence, backups/tests, BAAs.

Maintain and review

• Review at least annually and whenever systems, vendors, or staffing change—or after an incident.
• Version‑control your report and retain documentation for at least six years.
• Schedule a brief quarterly check‑in to validate progress and adjust priorities.

Checklist

• Assemble a single, dated risk assessment report and risk register.
• Capture decisions and rationale for each high‑priority item.
• Log review dates, revisions, and sign‑offs.

Utilize Resources and Tools for Compliance

Lean on practical tools that make compliance sustainable. Choose solutions that reinforce access controls, encryption, auditing, backups, and user training without adding friction to your coaching workflow.

Tool categories to consider

• Risk assessment templates or the Security Risk Assessment (SRA) approach for small practices.
• Password manager with MFA enforcement and shared vaults for teams.
• Secure messaging/portal or EHR with audit logging and role‑based access.
• MDM for device encryption, configuration, and remote wipe.
• Automated backups with encryption and periodic restore testing.
• Log collection/review tools and basic endpoint protection.
• Security awareness training and phishing simulations.

Evaluate Business Associates

• Confirm BAAs, review security features, and validate data handling practices.
• Prefer vendors that support encryption, audit logs, granular permissions, and export controls.

Summary and Next Steps

• Define scope and assets, then inventory safeguards.
• Identify threats and vulnerabilities tied to real workflows.
• Score risks, prioritize actions, and implement risk mitigation strategies.
• Produce clear risk assessment documentation, assign owners, and review routinely.

FAQs.

What is the purpose of a HIPAA risk assessment for health coaches?

It helps you identify how ePHI could be exposed, altered, or lost, evaluate current controls under the HIPAA Security Rule, and choose targeted improvements. The outcome is a prioritized plan to reduce risk while protecting clients and your practice.

How often should health coaches perform HIPAA risk assessments?

Conduct a full assessment at least annually and whenever you add or change systems, vendors, or staffing—or after any security incident. In between, do brief quarterly reviews to verify progress and catch emerging risks.

What are common vulnerabilities affecting health coaches’ ePHI?

Frequent issues include weak or shared passwords, missing MFA, unencrypted devices or backups, insecure texting/email, misconfigured cloud sharing, use of unvetted apps, lack of BAAs with vendors, and risky public Wi‑Fi or home network setups.

How can health coaches document their HIPAA risk assessments effectively?

Maintain a centralized risk register and a concise report covering scope, methods, scenarios, scores, chosen controls, timelines, and residual risk. Attach policies, training records, backup tests, and BAAs, track revisions and approvals, and retain the documentation for at least six years.