Security Risk Assessment Checklist for IT Systems under the HIPAA Rule

This Security Risk Assessment Checklist for IT Systems under the HIPAA Rule helps you evaluate how well your environment protects electronic Protected Health Information while meeting HIPAA compliance requirements. Use it to structure evidence, prioritize fixes, and demonstrate due diligence to leadership and auditors.

Asset Inventory and Data Mapping

Build a complete, current inventory

• List every asset that creates, receives, maintains, or transmits electronic Protected Health Information: servers, laptops, mobile devices, virtual machines, databases, applications, medical devices, and cloud services.
• Include network segments, VPNs, storage locations, backups, removable media, and third-party platforms where ePHI may reside.
• Record business owners, technical custodians, criticality, environment (prod/dev/test), and data classification for each asset.

Map ePHI data flows end to end

• Diagram how ePHI enters, moves through, and leaves your systems, including interfaces, APIs, file transfers, and messaging channels.
• Identify where ePHI is at rest and in transit, who can access it, and what controls protect confidentiality, integrity, and availability.
• Document retention locations and backups to ensure recoverability and proper deletion when required.

Verify accuracy and traceability

• Assign unique asset identifiers and reconcile against procurement records, endpoint management, and cloud inventories.
• Tag assets that handle ePHI and link them to documented business processes to support HIPAA compliance requirements.
• Establish change-control hooks so new systems cannot go live without being added to the inventory and data maps.

Risk Analysis

Identify threats and vulnerabilities

• Catalog plausible threats: phishing, ransomware, lost or stolen devices, misconfiguration, insider misuse, third-party failures, and service outages.
• Enumerate vulnerabilities: unsupported software, weak authentication, open ports, excessive privileges, unencrypted data stores, and unmonitored logs.
• Consider administrative safeguards, physical safeguards, and technical safeguards when evaluating exposure across people, facilities, and technology.

Assess likelihood and impact

• Use a repeatable scoring model for likelihood and business impact, focusing on confidentiality, integrity, and availability of ePHI.
• Calculate inherent risk, apply existing controls, and estimate residual risk; define thresholds for what requires immediate action.
• Document assumptions, data sources, and rationale so results can be reproduced and defended.

Prioritize what matters

• Rank scenarios that could disrupt patient care, cause data exfiltration, or trigger noncompliance with HIPAA compliance requirements.
• Group similar findings and map them to affected assets and data flows to drive focused remediation projects.

Security Measures Assessment

Evaluate administrative safeguards

• Governance: risk management, security program charter, roles and responsibilities, and workforce security processes.
• Access management: authorization, onboarding/offboarding, least privilege, and periodic access reviews.
• Contingency planning: backup, disaster recovery, and continuity procedures aligned to business impact.
• Awareness and training: program scope, frequency, metrics, and accountability.

Evaluate physical safeguards

• Facility access controls, visitor management, surveillance, and environmental protections for server rooms and critical areas.
• Workstation security: screen locks, privacy filters, and secure workspace practices.
• Device and media controls: inventory, secure storage, transport, reuse, and disposal of hardware containing ePHI.

Evaluate technical safeguards

• Access controls: unique IDs, multi-factor authentication, network segmentation, privileged access management, and session timeouts.
• Encryption: data at rest and in transit, key management, and coverage validation for backups and mobile devices.
• Audit controls and monitoring: centralized logging, alerting, and investigations with clear retention and review procedures.
• Integrity and transmission security: anti-malware, EDR, secure configurations, patching, TLS, email security, and DLP where warranted.

Validate control effectiveness

• Run vulnerability scans, configuration baselines, penetration tests, and tabletop exercises; remediate and retest.
• Record exceptions with compensating controls, owners, and expiration dates.

Risk Management Plan

Define risk mitigation strategies

• Select a treatment option for each high-priority risk: avoid, reduce, transfer, or accept with justification.
• Specify control changes, project tasks, budgets, and expected risk reduction for each initiative.

Make it actionable

• Assign accountable owners, due dates, success metrics, and evidence requirements for closure.
• Integrate with change management so security updates are tracked, tested, and approved before deployment.

Maintain visibility

• Publish a living roadmap that links risks to planned or implemented controls and shows progress over time.
• Escalate overdue or high-impact items to leadership to maintain alignment with HIPAA compliance requirements.

Policy and Procedure Review

Confirm coverage and currency

• Ensure policies address acceptable use, access control, identity and password standards, remote access, mobile/BYOD, encryption, vulnerability management, change management, backup, and disaster recovery.
• Verify procedures match practice, include step-by-step instructions, and identify roles for execution and approval.
• Review sanction policy, minimum necessary use, and documentation of policy exceptions.

Measure and improve

• Check version control, review cadence, and evidence of workforce acknowledgment.
• Map policies and procedures to administrative safeguards, physical safeguards, and technical safeguards to demonstrate traceability.

Employee Training

Establish a role-based program

• Provide onboarding and periodic refreshers that explain how staff handle electronic Protected Health Information safely.
• Deliver specialized training for IT, system administrators, clinicians, and vendors with system access.

Focus on practical behaviors

• Teach phishing recognition, reporting procedures, password and MFA hygiene, secure data handling, and mobile/remote work practices.
• Reinforce incident reporting channels and the consequences defined in the sanction policy.

Verify effectiveness

• Use assessments, simulated phishing, and targeted coaching; track completion and remediation for noncompliance.

Incident Response Plan

Structure the lifecycle

• Preparation: roles, contact lists, tools, playbooks, legal and communications coordination.
• Detection and analysis: triage criteria, evidence collection, severity definitions, and escalation paths.
• Containment, eradication, and recovery: stepwise actions for malware, data loss, compromised accounts, and system outages.
• Post-incident review: root cause, lessons learned, control improvements, and documentation.

Address notification and decision-making

• Define breach assessment criteria and decision trees that align with HIPAA compliance requirements.
• Prepare communication templates for affected individuals, leadership, and business associates, as applicable.

Test and refine

• Run periodic tabletop exercises and update playbooks based on outcomes and new threats.

Regular Audits and Monitoring

Implement continuous monitoring

• Centralize logs, alerts, and detections for endpoints, servers, applications, identity providers, and network devices.
• Monitor key indicators: failed logins, unusual data transfers, privilege escalations, sensitive file access, and backup status.

Schedule technical and procedural audits

• Perform vulnerability scans, patch compliance checks, configuration reviews, access recertifications, and data loss prevention reviews.
• Audit adherence to policies and procedures and verify evidence of control execution.

Use metrics to drive action

• Track mean time to detect and respond, patching cycle times, encryption coverage, and incident volumes by category.
• Report trends, highlight risk concentrations, and feed results back into the Risk Management Plan.

Business Associate Management

Identify and contract appropriately

• List all vendors and partners that handle ePHI and ensure business associate agreements are executed before data sharing begins.
• Define required controls, breach reporting expectations, and right-to-audit provisions in each agreement.

Perform due diligence and oversight

• Evaluate security posture through questionnaires, technical tests where appropriate, and review of independent assurance reports.
• Assess data flows, minimum necessary access, and segregation between customer environments.

Monitor throughout the lifecycle

• Track security obligations, high-risk findings, and incident notifications; verify timely remediation.
• Plan for termination, data return, or destruction and validate completion.

Documentation and Record-Keeping

Maintain comprehensive evidence

• Keep the latest risk analysis, risk register, treatment plans, asset inventory, and data flow diagrams.
• Retain policies, procedures, training materials and attendance, incident records, audit reports, and corrective action evidence.
• Store business associate agreements, access reviews, encryption attestations, and backup/recovery test results.

Ensure integrity and accessibility

• Protect records with access controls and encryption; back them up and test restorations.
• Use standardized templates and versioning so reviewers can trace decisions and changes over time.

Summary

By inventorying assets and data, analyzing risks, validating safeguards, and executing a disciplined risk management plan, you create a defensible posture for protecting electronic Protected Health Information. Strong training, monitoring, vendor oversight, and thorough records prove ongoing compliance and make improvements sustainable.

FAQs.

What is the purpose of a security risk assessment under HIPAA?

Its purpose is to identify how your IT systems create, receive, maintain, or transmit electronic Protected Health Information, determine the risks to that data’s confidentiality, integrity, and availability, and select appropriate administrative safeguards, physical safeguards, and technical safeguards to reduce those risks to a reasonable and appropriate level.

How often should risk assessments be conducted for IT systems?

You should perform a comprehensive assessment at least annually or whenever significant changes occur—such as new systems, major upgrades, migrations to cloud services, or mergers—and update the analysis whenever new threats or vulnerabilities materially affect risk.

What are the key components of an effective incident response plan?

Key components include defined roles and contacts; clear severity criteria and triage procedures; technical playbooks for common scenarios; coordinated containment, eradication, and recovery steps; communication and potential notification workflows aligned to HIPAA compliance requirements; and a lessons-learned process that feeds improvements back into controls and training.

How do business associates impact HIPAA security risk management?

Business associates can introduce additional attack surface and compliance exposure because they may handle your ePHI. Effective management requires executed business associate agreements, documented data flows and minimum necessary access, due diligence on their security controls, ongoing oversight of obligations and incidents, and defined exit processes for data return or destruction.