How to Write a HIPAA Risk Assessment: Real-World Example and Checklist

Identifying Strengths and Weaknesses in Safeguards

You begin by mapping how Protected Health Information (PHI) is created, received, maintained, and transmitted. This shows where safeguards already work and where they are thin or missing. Use interviews, walk-throughs, and system reviews to capture what is actually happening—not just what policies say.

Evidence to gather includes policies and procedures, asset inventories, network diagrams, access lists, audit logs, backup reports, results from network vulnerability scans, security awareness training records, incident tickets, and disaster recovery testing results. Compare these artifacts to HIPAA Security Rule standards to pinpoint strengths and gaps.

Typical strengths you might see: centralized EHR with role-based access, endpoint encryption, and documented onboarding/offboarding. Common weaknesses: shared accounts in legacy tools, inconsistent MFA, stale user access, untested backups, or missing Business Associate Agreements (BAAs) with service providers.

Evaluating Physical Technical and Administrative Safeguards

Physical safeguards

Verify facility access controls, visitor procedures, server room protections, workstation positioning, and media disposal. Test basics: are network closets locked, cameras covering entrances, and paper PHI secured after hours? Confirm that device inventories track where PHI-capable hardware lives.

Technical safeguards

Assess access control (unique IDs, least privilege, MFA), audit controls (log collection, retention, review cadence), integrity controls (hashing, EHR change tracking), transmission and storage security (TLS, full-disk encryption), and automatic logoff. Use network vulnerability scans to validate patching and configuration hygiene, and confirm endpoint protection and email filtering are active and monitored.

Administrative safeguards

Review the risk analysis and the Risk Management Plan that flows from it, sanctions policy, contingency plans, incident response, and vendor management. Evaluate the scope and frequency of security awareness training, how often workforce role-based training occurs, and whether leadership receives periodic risk reports tied to business objectives.

Documenting Risk Assessment Findings

Record each risk in a structured register: a clear risk statement (threat + vulnerability + PHI impact), affected assets/processes, existing controls, likelihood, impact, risk rating, recommended remediation, owner, target date, and residual risk after treatment. Keep the narrative concise and evidence-based.

Real-World Example: Multi-Site Outpatient Clinic

Context: A 12-provider clinic using a cloud EHR, remote billing, and e-faxing. PHI flows include patient intake tablets, EHR, lab portals, e-fax, and backups.

• Risk 1: Remote desktop left open to the internet with single-factor access. Likelihood: High; Impact: High; Rating: Critical. Action: Restrict to VPN, enforce MFA, disable direct RDP, add log monitoring.
• Risk 2: Monthly backups encrypted at rest but restore not tested in 12 months. Likelihood: Medium; Impact: High; Rating: High. Action: Perform disaster recovery testing quarterly and document results.
• Risk 3: Cloud e-fax vendor missing executed BAA. Likelihood: Medium; Impact: High; Rating: High. Action: Execute BAA, review data retention and deletion terms, add vendor to ongoing review cadence.
• Risk 4: Stale AD groups granting PHI access to former temp staff. Likelihood: Medium; Impact: Medium; Rating: Medium. Action: Quarterly access recertification; automate deprovisioning from HR events.

Outcomes: Critical/high risks mitigated within 30–60 days; residual risk documented; leadership signs off on accepted low risks. The updated Risk Management Plan ties actions to owners, timelines, and evidence of completion.

Tailoring Assessments to Practice Needs

Scale depth to your footprint. A small practice may focus on endpoints, Wi‑Fi, EHR settings, and vendor BAAs; a large system layers in segmentation reviews, change management, and advanced monitoring. Telehealth-heavy workflows elevate identity proofing, endpoint hardening, and home-office safeguards.

Align methods with how you operate: cloud-first environments require stronger Third-Party Vendor Risk oversight; on-prem setups demand patch cadence verification and physical security checks. Prioritize PHI flow “choke points” where a single failure has outsized impact—identity access, email, backups, and e-faxing.

Using a HIPAA Risk Assessment Checklist

1. Define scope and PHI data flows (create/receive/maintain/transmit), including shadow IT and mobile use.
2. Assemble roles: compliance lead, IT/security, operations, and a decision-maker to approve the Risk Management Plan.
3. Collect artifacts: policies, asset inventory, network diagrams, user/access lists, audit logs, training records, BAAs, prior incidents, vulnerability and configuration reports.
4. Identify threats and vulnerabilities across physical, technical, and administrative safeguards using HIPAA Security Rule standards as the benchmark.
5. Test controls: run network vulnerability scans, review privileges, sample audit logs, attempt a backup restore, and validate disaster recovery testing.
6. Rate risks (likelihood × impact), noting PHI types/volumes affected and potential patient and operational harm.
7. Decide treatments: mitigate, accept, transfer, or avoid. For mitigations, specify control changes and success criteria.
8. Build the Risk Management Plan with actions, owners, dates, required resources, and expected residual risk.
9. Document exceptions and acceptance rationales; capture leadership approval and re-review dates.
10. Communicate outcomes and update procedures; reinforce through security awareness training and targeted role-based guidance.
11. Monitor: track remediation status and key metrics (patch latency, failed logins, phishing rates, backup restore times).
12. Review and refresh the assessment on schedule or when triggers occur (new system, incident, vendor change, location move).

Managing Third-Party Vendor Risks

Inventory all vendors touching PHI and categorize by data sensitivity and operational criticality. For each, confirm an executed BAA, data flow specifics, encryption practices, incident notification timelines, subcontractor use, and data retention/deletion terms.

Perform due diligence proportionate to risk: security questionnaires, independent audit reports, breach history, and control attestations. Track findings in a vendor risk register, assign owners, and set remediation dates. Establish onboarding and offboarding checklists so PHI access is granted—and removed—cleanly.

Operationalize oversight: require timely vulnerability remediation from vendors, define uptime and recovery objectives, and integrate vendor events into your incident response and disaster recovery testing.

Updating Risk Management Plans Regularly

Treat the Risk Management Plan as a living program. Review status monthly, highlight blockers, and recalibrate priorities as business or threat conditions change. Elevate metrics that show control health: MFA coverage, privileged access reviews, patch cycles, backup restore success, and training completion.

Set update cadences: perform a comprehensive risk assessment at least annually and after major changes or incidents; refresh vendor reviews on a defined schedule; re-run network vulnerability scans routinely. Close the loop by validating that implemented fixes actually reduce risk, then document residual risk and leadership acceptance.

In summary, you write a strong HIPAA risk assessment by mapping PHI flows, testing safeguards against the HIPAA Security Rule, documenting clear, prioritized risks, executing a practical checklist, managing Third-Party Vendor Risk, and maintaining an actionable Risk Management Plan that you update and verify over time.

FAQs.

What is a HIPAA risk assessment?

A HIPAA risk assessment is a systematic analysis of how PHI is handled and protected, identifying threats, vulnerabilities, and the likelihood and impact of potential events. It evaluates physical, technical, and administrative safeguards against the HIPAA Security Rule and drives a Risk Management Plan to reduce risk to reasonable and appropriate levels.

Why is documentation important in HIPAA risk assessments?

Documentation proves due diligence, enables consistent remediation, and creates traceability for decisions, ownership, and timelines. It also records residual risk and leadership acceptance, supports audits and investigations, and ensures your Risk Management Plan is actionable and measurable.

How often should a HIPAA risk assessment be updated?

Conduct a comprehensive assessment at least annually and update it whenever significant changes occur—such as new systems, major process shifts, vendor additions, incidents, or mergers. Routine refreshes of vulnerability scans, access reviews, and vendor oversight keep the assessment current between annual cycles.

What are the key components of a HIPAA risk assessment checklist?

Core components include PHI flow mapping and scope, artifact collection, evaluation of physical/technical/administrative safeguards, technical testing (network vulnerability scans, backup restore, disaster recovery testing), risk rating, treatment decisions, a detailed Risk Management Plan, documentation of exceptions, training and communication, and ongoing monitoring with defined metrics.