Information Security Risk Assessment Best Practices for Covered Entities and Business Associates

Protecting electronic protected health information requires more than checking boxes—you need a living, documented security risk assessment that drives measurable controls, vendor oversight, and continual improvement. This guide translates regulatory expectations into practical steps you can apply across your environment and your business associate ecosystem.

HIPAA Security Rule Requirements

What the Security Rule expects

The HIPAA Security Rule requires you to perform an accurate and thorough risk analysis of risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and to implement risk management measures that reduce those risks to a reasonable and appropriate level. You must document decisions, review them periodically, and update them when your environment changes.

Safeguard categories

• Administrative safeguards: risk analysis and risk management, assigned security responsibility, workforce security and training, information system activity review, contingency planning, and evaluation.
• Physical safeguards: facility access controls, workstation and device protections, and media controls for the full lifecycle of ePHI.
• Technical safeguards: access control, audit controls, integrity, person or entity authentication, and transmission security (for example, encryption standards for data in transit and at rest).

Governance and accountability

Designate information security officers with authority to enforce policy, prioritize initiatives, and report risk to leadership. Maintain policies and procedures, keep evidence of implementation, and ensure sanctions for noncompliance are applied consistently across your workforce and business associates.

Risk Assessment Process

Scope and inventory

Start by mapping where ePHI is created, received, maintained, processed, or transmitted—on premises, in cloud and SaaS platforms, medical devices, and with business associates. Document data flows, trust boundaries, and dependencies to ensure nothing is missed.

Threats, vulnerabilities, and likelihood/impact

Identify plausible threats (ransomware, insider misuse, phishing, vendor compromise, system failure) and vulnerabilities (unpatched systems, weak access controls, misconfigurations). Rate likelihood and impact to determine inherent risk for each asset or process handling ePHI.

Risk mitigation strategies

For high and moderate risks, define specific risk mitigation strategies with owners, resources, and deadlines. Typical actions include multi-factor authentication for all remote and privileged access, hardening baselines, encryption standards for data in transit/at rest, least-privilege access, segmentation, continuous monitoring, and tested backups.

Plan, document, and track

• Create a risk register and a Plan of Action and Milestones to track remediation through closure and to record residual risk acceptance when justified.
• Report status to leadership routinely; use metrics such as time-to-remediate, percentage of systems covered by MFA, and patch latency.
• Reassess after material changes—system deployments, mergers, incidents, or onboarding new business associates.

Security Risk Assessment Tool

Purpose and outcomes

A structured Security Risk Assessment Tool helps you walk through the Security Rule’s control areas, score maturity, and generate an auditable report. Use it to standardize evidence collection, highlight gaps, and prioritize remediation in alignment with your risk register.

Good practices for tool use

• Tailor the questionnaire to your environment (clinical systems, cloud apps, endpoints, connected devices) and to the ePHI data flows you identified.
• Augment questionnaires with technical validation—configuration reviews, vulnerability scans, logging coverage checks, and access attestation.
• Treat the output as input to risk management, not an end-state. Convert findings into funded actions with clear owners and due dates.

Integrating evidence

Attach artifacts such as network diagrams, asset inventories, encryption key management procedures, incident response playbooks, and third-party attestations (for example, SOC 2 Type II or HITRUST) to strengthen defensibility during audits or investigations.

Business Associate Agreements

Core requirements

• Permitted and required uses/disclosures of ePHI, minimum necessary, and prohibition on unauthorized uses.
• Security obligations to implement safeguards that protect ePHI and to report security incidents and breaches promptly.
• Subcontractor flow-down so downstream entities with access to ePHI assume the same obligations.
• Right to audit, cooperation with investigations, and obligations to make records available if required.
• Return or destruction of ePHI at termination where feasible and procedures for data disposition when not feasible.

Operationalizing BAAs

Map BAA clauses to your cybersecurity vendor oversight program. Set measurable expectations—MFA enforcement, encryption standards, vulnerability remediation timelines, logging and monitoring—and require timely notification and coordinated response for incidents affecting your ePHI.

Proposed HIPAA Security Rule Updates

Anticipated areas of emphasis

Proposals and guidance have increasingly emphasized demonstrable risk analysis, timely mitigation, stronger identity controls (such as multi-factor authentication), robust encryption, audit logging, and enhanced business associate oversight. Expect closer alignment with recognized security practices and sector cybersecurity goals.

Readiness steps you can take now

• Document how your risk analysis drives funding and implementation, not just policy.
• Show evidence of recognized security practices through policies, technical configurations, and third-party attestations where applicable.
• Strengthen incident response, ransomware readiness, and breach notification playbooks with tested procedures and clear decision authorities.

Due Diligence in Selecting Business Associates

Risk-based vendor segmentation

Tier vendors by the volume, sensitivity, and criticality of ePHI they handle. Apply rigorous due diligence for high-risk vendors and lighter reviews for low-risk ones, while ensuring every vendor with ePHI is under a signed BAA before access begins.

Evaluation checklist

• Security posture: multi-factor authentication, encryption standards, endpoint protection, vulnerability and patch management, secure SDLC, and incident response maturity.
• Independent assurance: review third-party attestations (e.g., SOC 2 Type II, ISO/IEC 27001, HITRUST) and findings closure evidence.
• Data handling: data location, subcontractors, data retention, secure disposal, and segregation of customer data.
• Monitoring: ongoing cybersecurity vendor oversight through periodic assessments, performance SLAs, and right-to-audit execution.

Contractual safeguards

Embed security requirements, breach notification timelines, cooperation duties, and evidence-sharing obligations directly in the BAA and statements of work. Align them with your internal controls so oversight is continuous and enforceable.

Continuous Risk Management

Operate, measure, and improve

Make risk management an ongoing program: continuous monitoring, vulnerability scanning and timely patching, log review, and access recertification. Track KPIs and KRIs that reflect risk reduction—time-to-detect, time-to-contain, privileged account coverage by MFA, and backup restore success rates.

People and process

Empower information security officers to chair a governance forum that reviews the risk register, funding, and remediation progress. Conduct routine training and phishing simulations, hold tabletop exercises, and update procedures after lessons learned from incidents and audits.

Documentation and cadence

Keep your assessment, decisions, and evidence current. Reassess at least annually and whenever significant changes occur. Ensure leadership receives regular reports that connect risk, operations, and business outcomes.

Conclusion

By grounding decisions in a thorough risk analysis, enforcing strong technical controls, and extending oversight to business associates, you create a defensible, resilient program for protecting ePHI. Treat the assessment as your roadmap and use measurable, continuous improvements to keep pace with evolving threats and expectations.

FAQs.

What are the key components of a HIPAA security risk assessment?

You identify where ePHI resides and flows, enumerate threats and vulnerabilities, rate likelihood and impact, prioritize risks, and implement risk mitigation strategies. You then document decisions, assign owners and deadlines, verify control effectiveness, record residual risk, and update the assessment after changes or incidents.

How often should risk assessments be conducted for covered entities?

Perform a comprehensive assessment at least annually and whenever there are material changes—new systems, major upgrades, migrations, mergers, or significant incidents. Supplement with ongoing reviews, monitoring results, and targeted mini-assessments to keep the risk register current.

What are the requirements for business associate agreements under HIPAA?

BAAs must define permitted uses and disclosures of ePHI, require appropriate safeguards, mandate incident and breach reporting, flow down obligations to subcontractors, allow cooperation and audit as needed, and set terms for returning or destroying ePHI upon termination.

How do proposed updates affect existing risk management practices?

They reinforce the need to show that your risk analysis drives real-world controls—such as multi-factor authentication, encryption standards, logging, and vendor oversight—and that you can prove recognized security practices with evidence. Preparing now shortens the path to compliance when changes finalize.