Annual HIPAA Security Risk Assessment
Step-by-step workflow for conducting the HIPAA-required security risk assessment. Covers all ePHI systems, threat identification, vulnerability analysis, risk calculation, and mitigation planning. Based on 45 C.F.R. § 164.308(a)(1)(ii)(A).
The #1 HIPAA Audit Finding
Failure to conduct a comprehensive, organization-wide risk assessment is consistently the most common finding in OCR enforcement actions. In the 2016-2017 HIPAA audit program, the majority of covered entities either had no risk assessment or had one that was insufficient in scope. OCR has imposed penalties exceeding $1 million specifically for risk assessment failures. This is not optional. This is the foundation of your entire HIPAA security program.
What Auditors Look For
Must Have
Written risk assessment document (not just a checklist)
Coverage of ALL ePHI, not just the EHR system
Identified threats AND vulnerabilities (both required)
Likelihood and impact ratings with documented rationale
Risk management plan with specific mitigation actions
Evidence of implementation (not just a plan)
Annual cadence (or more frequent if significant changes occur)
Retention for at least 6 years
Common Failures
Using a simple checklist instead of a true risk analysis
Limiting scope to the EHR or a single system
No documentation of the methodology used
Identifying risks but never creating a mitigation plan
Assessment performed once and never updated
No involvement of leadership in risk acceptance decisions
Confusing a HIPAA risk assessment with a general IT security audit
Relying solely on a vendor tool without organizational context
Step 1: Define Scope: All ePHI Systems
Identify every system that creates, receives, maintains, or transmits electronic PHI (ePHI)
Include EHR systems, practice management software, patient portals, billing platforms, and lab interfaces
Include mobile devices, laptops, tablets, and removable media (USB drives, backup tapes) used by workforce
Map cloud services: hosting providers, SaaS applications, email, file sharing, and backup services that contain ePHI
Document data flows: how ePHI moves between systems, between departments, and between your organization and business associates
Include biomedical devices and IoT equipment connected to your network (infusion pumps, imaging systems, monitoring devices)
Inventory physical locations where ePHI is stored or accessed (server rooms, offices, remote work locations)
Compliance tip: The scope must cover all ePHI, not just the EHR. Organizations frequently overlook email, text messages, spreadsheets, scanned documents, voicemail systems, and fax servers. If it contains ePHI in electronic form, it is in scope.
Step 2: Identify Threats and Vulnerabilities
Natural threats: fire, flood, earthquake, tornado, power outage, water damage
Human threats (intentional): hacking, phishing, ransomware, insider theft, social engineering, unauthorized access
Human threats (unintentional): accidental deletion, misdirected email or fax, lost devices, misconfigured systems, improper disposal
Technical vulnerabilities: unpatched software, weak passwords, lack of encryption, unsecured wireless networks, default configurations
Administrative vulnerabilities: missing or outdated policies, insufficient training, no access reviews, lack of audit logging
Physical vulnerabilities: unlocked server rooms, unattended workstations, no visitor controls, shared spaces without privacy screens
Review prior incidents, near-misses, and audit findings for recurring threat patterns
Consult HHS cybersecurity resources, CISA alerts, and FBI healthcare threat briefings for current threat intelligence
Compliance tip: Use a structured threat catalog. NIST SP 800-30 provides a comprehensive threat source and event taxonomy. Do not try to brainstorm threats from scratch. OCR expects a systematic, repeatable methodology.
Step 3: Assess Current Security Measures
Administrative safeguards: security management process, assigned security responsibility, workforce training, access management, contingency plan, evaluation
Physical safeguards: facility access controls, workstation use and security, device and media controls
Technical safeguards: access control (unique user ID, emergency access, auto-logoff, encryption), audit controls, integrity controls, transmission security
Document which safeguards are fully implemented, partially implemented, or not implemented for each system in scope
Test controls where possible: attempt unauthorized access, verify encryption is active, confirm audit logs are recording, test backup restoration
Review business associate safeguards: request SOC 2 reports, HITRUST certifications, or security questionnaire responses
Compliance tip: Do not just check boxes. Verify that controls actually work. An encryption policy is worthless if encryption is not turned on. An access review policy is worthless if reviews have not been conducted. OCR asks for evidence, not documentation alone.
Step 4: Determine Likelihood and Impact
For each threat-vulnerability pair, rate the likelihood of occurrence: High, Medium, or Low
Consider the threat source motivation and capability (for intentional threats)
Consider the nature of the vulnerability and effectiveness of current controls
For each threat-vulnerability pair, rate the potential impact: High, Medium, or Low
Impact factors: number of individuals affected, sensitivity of the ePHI involved, financial cost, operational disruption, reputational harm
Consider both the impact of a single incident and the impact of a sustained or repeated attack
Document the reasoning behind each likelihood and impact rating. 'Professional judgment' is not sufficient.
Compliance tip: Use a consistent rating scale with defined criteria. For example: High likelihood means the threat source is highly motivated and capable, and controls are ineffective. Document why you assigned each rating. Auditors will challenge ratings that appear arbitrary.
Step 5: Calculate Risk Levels
Combine likelihood and impact ratings into an overall risk level for each threat-vulnerability pair
Use a risk matrix: High likelihood + High impact = Critical. High + Medium = High. Medium + Medium = Medium. Low + Low = Low.
Rank all identified risks from highest to lowest
Identify which risks exceed your organization's risk tolerance and require immediate mitigation
Categorize risks: those requiring new controls, those requiring upgraded controls, those acceptable at current levels
Present the risk register to organizational leadership for review and acceptance decisions
Compliance tip: Risk acceptance is a valid outcome, but it must be a conscious, documented decision by someone with authority. If leadership accepts a high risk, document who accepted it, when, and why. OCR wants to see that risks were evaluated and addressed, not ignored.
Step 6: Document and Implement Mitigation Plan
Create a written risk management plan that addresses every risk above your tolerance threshold
For each risk: define the mitigation action, responsible person, target completion date, and success criteria
Prioritize by risk level: critical and high risks first, then medium risks
Assign budget and resources. Risk mitigation without budget allocation is a plan on paper only.
Track implementation progress and report to leadership at defined intervals (monthly or quarterly)
Re-assess residual risk after controls are implemented to verify they reduced risk to acceptable levels
Retain all risk assessment documentation for a minimum of 6 years per 45 C.F.R. § 164.530(j)
Schedule the next annual risk assessment. The requirement is ongoing, not one-time.
Compliance tip: The risk assessment itself is only half the requirement. Section 164.308(a)(1)(ii)(B) requires you to implement security measures sufficient to reduce risks to a reasonable and appropriate level. An assessment without a mitigation plan is incomplete and will not satisfy OCR.
Risk Level Matrix
Combine likelihood and impact to determine overall risk level. This matrix follows the NIST SP 800-30 methodology recommended by HHS.
| Likelihood / Impact | Low Impact | Medium Impact | High Impact |
|---|---|---|---|
| High Likelihood | Medium | High | Critical |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |