How to Perform a HIPAA Security Risk Assessment, Step by Step

A HIPAA Security Risk Assessment helps you identify and reduce risks to electronic Protected Health Information (ePHI). Use this step-by-step guide to scope your effort, analyze threats, and implement risk mitigation strategies that align with the HIPAA Security Rule.

Scope the Assessment

Define objectives and success criteria

Clarify what you want the assessment to accomplish: regulatory compliance, reduced breach likelihood, audit readiness, or program maturity. Document success criteria such as closed high risks, updated policies, and complete risk analysis documentation.

Set boundaries and inclusions

Identify where ePHI lives and moves: applications, databases, endpoints, networks, medical devices, cloud services, and backups. Include all facilities and remote work scenarios where workforce members access ePHI.

Establish roles and timeline

Assign an owner, contributors, and approvers. Define milestones for discovery, analysis, remediation planning, and reporting so the HIPAA Security Risk Assessment stays on schedule.

Gather Information

Inventory assets and data

• Catalog systems, devices, and repositories that store, process, or transmit ePHI.
• Classify data sensitivity and map who uses it, where it’s stored, and how it’s protected.

Map data flows

Diagram how ePHI enters, moves through, and exits your environment, including patient portals, EHR integrations, and backup/archival paths. Note encryption, authentication, and transmission methods at each hop.

Collect policies, records, and third-party details

• Gather policies, procedures, training logs, incident reports, and prior assessment results.
• Assemble copies of business associate agreements and note each vendor’s role with ePHI.
• Pull technical evidence: access lists, audit logs, patch status, vulnerability scans, and network diagrams.

Identify Potential Threats and Vulnerabilities

Threat categories

• Human: phishing, credential theft, insider misuse, accidental disclosure.
• Technical: unpatched systems, insecure APIs, misconfigurations, ransomware.
• Physical/environmental: theft, device loss, facility intrusion, fire, flood, power loss.
• Process: gaps in onboarding/offboarding, change management, or incident response.

Common vulnerabilities

• Weak access controls, lack of multifactor authentication, excessive privileges.
• Unencrypted portable devices, inadequate key management, insufficient audit logging.
• Legacy systems, unsupported medical devices, and delayed patching.
• Inadequate workstation security, poor media disposal, or missing escort procedures.
• Incomplete or outdated business associate agreements and vendor oversight gaps.

Create a risk register

List each threat–vulnerability pair, affected assets, existing controls, and preliminary risk ratings. This register becomes the backbone of your risk analysis documentation and later remediation tracking.

Assess Current Security Measures

Administrative safeguards

• Risk management program, assigned security responsibility, and workforce training.
• Sanction policy, incident response plan, contingency planning, and evaluation processes.
• Vendor management procedures tied to business associate agreements and ongoing due diligence.

Technical safeguards

• Access controls: unique IDs, role-based access, least privilege, and multifactor authentication.
• Audit controls: centralized logging, log retention, and regular review of alerts.
• Integrity and transmission security: encryption at rest and in transit, integrity checks, secure protocols.
• Endpoint security: configuration baselines, EDR/antivirus, patching, and mobile device management.

Physical safeguards

• Facility access controls, visitor management, cameras, and secure areas.
• Workstation security and positioning to limit shoulder surfing and unauthorized use.
• Device and media controls: inventory, secure storage, and verified destruction.

Determine the Likelihood and Impact of Risks

Use a consistent scoring model

Rate likelihood and impact on a simple 1–5 scale, then compute risk = likelihood × impact. Calibrate criteria so scoring is consistent across teams and systems.

Consider business and compliance impact

Evaluate consequences for confidentiality, integrity, and availability of ePHI, as well as regulatory exposure, financial loss, patient safety, and operational downtime. Document the rationale for each score.

Example

Lost, unencrypted laptop with ePHI: likelihood 3, impact 5, risk 15 (high). After full-disk encryption and rapid remote wipe, likelihood drops to 2 and risk to 10 (medium).

Develop a Risk Mitigation Plan

Prioritize by risk and effort

Tackle high-risk, low-effort items first, then address high-impact projects with clear milestones. Define risk acceptance thresholds and escalation paths for unresolved items.

Select actionable controls

• Strengthen authentication and access reviews; remove dormant and excessive privileges.
• Encrypt data at rest and in transit; protect keys; enforce secure configurations.
• Harden endpoints and servers; accelerate patch cycles; segment networks; improve backups.
• Enhance monitoring and alerting; conduct phishing simulations and role-based training.
• Tighten vendor oversight; update business associate agreements; verify control attestations.

Plan, own, and validate

Create remediation tickets with owners, budgets, and timelines. Define success metrics, test implemented controls, and record residual risk to demonstrate effective risk mitigation strategies.

Document the Assessment Process

What to capture

• Methodology, scope, asset inventory, data flows, and assumptions.
• Threats, vulnerabilities, control evaluations, scores, and decisions.
• Risk register, mitigation plans, testing results, and residual risk statements.
• Evidence: screenshots, logs, training records, and copies of business associate agreements.

Make it audit-ready

Ensure the risk analysis documentation is clear, versioned, and mapped to relevant safeguards. Record dates, approvers, and updates so you can demonstrate an ongoing, repeatable process.

Review and Update Regularly

Cadence and triggers

Review at least annually and whenever major changes occur, such as new systems, acquisitions, telehealth expansions, remote work shifts, or significant incidents. Reassess risks after any control changes to confirm effectiveness.

Continuous monitoring

Track key indicators: vulnerability scan results, phishing click rates, log review findings, incident response metrics, and backup restore tests. Use trends to refine training and controls over time.

Conclusion

By scoping accurately, gathering the right evidence, evaluating safeguards, and executing a prioritized plan, you can reduce risk to ePHI and show HIPAA due diligence. Keep the assessment living through documentation, monitoring, and regular updates.

FAQs.

What are the key steps in a HIPAA security risk assessment?

Define scope, gather asset and data flow information, identify threats and vulnerabilities, assess administrative safeguards, technical safeguards, and physical safeguards, score likelihood and impact, develop and execute a mitigation plan, and maintain thorough risk analysis documentation.

How often should a HIPAA risk assessment be updated?

Update it at least annually and whenever material changes occur—new systems, significant incidents, vendor changes, or process shifts. Re-score risks after implementing controls to confirm residual risk is acceptable.

What types of threats should be identified in the assessment?

Include human threats (phishing, insider misuse), technical threats (ransomware, misconfigurations, unpatched software), physical/environmental threats (theft, fire, power loss), and process gaps that could expose electronic Protected Health Information.

How does documentation support HIPAA compliance?

Comprehensive, versioned documentation shows your methodology, findings, decisions, and remediation progress. It evidences due diligence, supports audits, and enables consistent execution of risk mitigation strategies across your environment.