HIPAA Risk Assessment Guide: Required Steps for 2026

A HIPAA risk assessment is the single most important compliance requirement that healthcare organizations get wrong. The HHS Office for Civil Rights (OCR) cites inadequate HIPAA risk assessment processes in over 80% of enforcement settlement agreements. Fines can reach $2.13 million per violation category per year.

Organizations that invest in a thorough HIPAA risk assessment spend less on breach remediation. Those that cut corners pay for it through OCR enforcement actions. This guide covers what the HIPAA Security Rule requires for your risk assessment, how to execute each step, and how to avoid the common HIPAA risk assessment mistakes that trigger penalties.

What HIPAA Requires for Risk Assessment

The HIPAA Security Rule, codified at 45 CFR 164.308(a)(1)(ii)(A), requires covered entities and business associates to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

This is not optional. Unlike many Security Rule safeguards that are classified as "addressable" (meaning you can implement alternative measures if justified), the risk analysis requirement is a required implementation specification. There is no alternative. You must do it.

OCR has consistently pointed to the NIST Special Publication 800-30 (Guide for Conducting Risk Assessments) as the recommended methodology for HIPAA risk analysis. While HIPAA does not mandate a specific framework, aligning your process with NIST's cybersecurity standards gives you a defensible approach if OCR ever comes knocking.

The Security Rule also requires a related but distinct requirement at 45 CFR 164.308(a)(1)(ii)(B): risk management. The risk assessment identifies and prioritizes risks. Risk management is what you do about them. Both are required, and they must work together.

📝 Note

The proposed HIPAA Security Rule update published in January 2025 (NPRM) would eliminate the "addressable" vs. "required" distinction entirely, making all safeguards mandatory with limited exceptions. If finalized, this makes your risk assessment even more critical, because every identified gap will require a concrete remediation plan.

The Risk Assessment Process: Step by Step

There is no single correct way to conduct a HIPAA risk assessment, but OCR's published guidance outlines nine essential elements. Missing any one of them can result in your assessment being deemed "insufficient" during an investigation.

1. Define the scope. Your assessment must cover every system, application, and data flow that creates, receives, maintains, or transmits ePHI. Not just your EHR. Everything.

2. Identify where ePHI lives. This requires a thorough data inventory, including data at rest, in transit, and in temporary storage locations you might not expect (think: fax servers, voicemail systems, backup tapes).

3. Identify threats. Consider both external threats (ransomware, nation-state actors, phishing) and internal threats (employee negligence, insider theft, misconfigured systems).

4. Identify vulnerabilities. These are weaknesses in your systems, processes, or training that a threat could exploit.

5. Assess current controls. Document what safeguards you already have in place and evaluate their effectiveness.

6. Determine likelihood. For each threat-vulnerability combination, estimate the probability that the threat will exploit the vulnerability.

7. Determine impact. Assess what would happen if the exploitation occurred, including financial harm, reputational damage, and harm to patients.

8. Assign risk levels. Combine likelihood and impact to produce a risk rating for each identified risk.

9. Document everything. The results, the methodology, the decisions. All of it.

If your organization handles complex compliance requirements, a structured compliance checklist can help make sure nothing falls through the cracks.

HIPAA Risk Assessment Scope and Asset Inventory

Getting the scope right is where most HIPAA risk assessments fail before they even start. A 2024 OCR enforcement action against a mid-size health plan resulted in a $1.3 million settlement partly because the organization's risk assessment excluded several systems that processed ePHI, including a legacy claims platform and a cloud-based analytics tool.

Your asset inventory should cover:

Electronic health record systems and all connected modules
Cloud services including IaaS, PaaS, and SaaS platforms (if you use SaaS products that handle PHI, review your obligations under HIPAA compliance for SaaS environments)
Medical devices that store or transmit patient data
Mobile devices including phones, tablets, and laptops used by workforce members
Communication systems such as email, messaging platforms, and telehealth tools
Data backup and disaster recovery systems
Business associate systems that receive ePHI from your organization

Create a data flow diagram showing how ePHI moves between these systems. This exercise alone often reveals risks that organizations did not know existed, such as unencrypted data transfers between internal systems or ePHI stored in unapproved locations.

For organizations with more than a handful of systems, tracking all of this manually becomes unsustainable. Many compliance teams use GRC software platforms to maintain a living asset inventory and automate portions of the risk assessment workflow.

Identifying Threats and Vulnerabilities

The threat landscape for healthcare has shifted significantly over the past three years. The HHS Health Sector Cybersecurity Coordination Center (HC3) reported that ransomware attacks against healthcare organizations increased 128% between 2022 and 2025, with the average breach cost reaching $10.93 million per incident according to IBM's Cost of a Data Breach Report.

When identifying threats, work from established threat catalogs rather than guessing. NIST SP 800-30 Appendix D provides a comprehensive threat source list. Common categories for healthcare include:

Adversarial threats: Ransomware operators, hacktivists, disgruntled employees, nation-state actors
Accidental threats: Staff sending ePHI to the wrong recipient, misconfigured access controls, lost devices
Environmental threats: Power outages, natural disasters, HVAC failures in server rooms
Structural threats: Hardware failures, software bugs, network outages

For each threat, map it against your vulnerabilities. A vulnerability is a weakness that a threat could exploit. Examples include:

Servers running unpatched operating systems
Workforce members who have not completed security training
Lack of multi-factor authentication on remote access systems
Missing or incomplete audit logging
Business associate agreements that lack required security provisions

⚠ Warning

Do not limit your vulnerability identification to technical scanning. OCR has repeatedly emphasized that administrative and physical vulnerabilities matter just as much. An organization with perfect network segmentation but no workforce training program still has a significant gap.

Risk Rating and Prioritization

Once you have identified your threat-vulnerability pairs, you need to assign a risk level to each one. The standard approach uses a matrix that combines likelihood and impact.

Likelihood scale (example): | Rating | Description | |--------|-------------| | High | Threat source is highly motivated and capable, controls are ineffective | | Medium | Threat source is motivated, controls exist but have gaps | | Low | Threat source lacks motivation or capability, controls are strong |

Impact scale (example): | Rating | Description | |--------|-------------| | High | Breach of 500+ records, significant financial/reputational harm | | Medium | Breach of limited records, moderate financial impact | | Low | Minimal or no actual exposure of ePHI |

Your risk level is the combination of both. A high-likelihood, high-impact risk demands immediate attention. A low-likelihood, low-impact risk can be monitored but may not require urgent remediation.

Prioritize your risk treatment plan based on these ratings. You have four standard options for each identified risk:

Mitigate the risk by implementing additional controls
Transfer the risk through insurance or contractual arrangements
Accept the risk with documented justification from management
Avoid the risk by eliminating the activity that creates it

Every decision must be documented with rationale. OCR does not expect zero risk. They expect informed, documented decisions about how you handle risk.

Documentation Requirements

HIPAA does not prescribe a specific format for risk assessment documentation, but it does require that the assessment be "accurate and thorough." In practice, OCR expects to see the following when they investigate:

Methodology description. Explain what framework you used, how you identified threats and vulnerabilities, and how you calculated risk levels.
Asset inventory. A complete list of systems and data flows in scope.
Threat and vulnerability catalog. Every identified threat-vulnerability pair with its associated risk rating.
Risk register. A centralized record of all identified risks, their ratings, assigned owners, and remediation plans.
Management sign-off. Evidence that organizational leadership reviewed and approved the risk assessment findings.
Remediation tracking. Proof that you acted on the findings, not just filed them away.

Retain all risk assessment documentation for a minimum of six years from the date of creation or the date it was last in effect, whichever is later. This retention requirement comes directly from 45 CFR 164.530(j).

The consequences of poor documentation are real. OCR has imposed penalties exceeding $5 million in cases where organizations could not produce adequate risk assessment records. Review the full breakdown of potential consequences in our guide to HIPAA violation penalties and fines.

Common HIPAA Risk Assessment Mistakes

After reviewing hundreds of HIPAA risk assessment reports across different organizations, these are the mistakes I see most often:

Treating it as a one-time event. The Security Rule requires an ongoing process. OCR's guidance states that risk assessments should be updated "regularly," and most experts recommend at minimum an annual comprehensive review with updates whenever significant changes occur (new systems, mergers, major incidents).

Confusing a vulnerability scan with a risk assessment. Running Nessus or Qualys against your network is useful, but it is not a risk assessment. A vulnerability scan identifies technical weaknesses. A risk assessment evaluates threats, vulnerabilities, likelihood, impact, and existing controls across administrative, physical, and technical domains.

Excluding business associates. Your risk assessment must account for risks introduced by your business associates. If a vendor stores your ePHI in a cloud environment with weak controls, that is your risk too.

Using generic templates without customization. Off-the-shelf risk assessment templates can be helpful starting points, but submitting one without tailoring it to your specific environment signals to OCR that you did not actually perform the analysis.

Failing to involve the right people. A risk assessment done entirely by IT misses clinical workflow risks. One done entirely by compliance misses technical vulnerabilities. You need input from IT, clinical staff, privacy officers, facilities management, and executive leadership.

Not acting on findings. Identifying 47 high risks and then doing nothing about them is arguably worse than not conducting the assessment at all. It proves you knew about the risks and chose to ignore them.

Tools and Resources

Several tools and frameworks can support your HIPAA risk assessment process:

HHS Security Risk Assessment Tool (SRA Tool). Developed by the Office of the National Coordinator for Health IT (ONC) and OCR, this free tool walks small and medium-sized organizations through the risk assessment process. It is available at healthit.gov. While limited in scalability, it is a solid starting point for smaller practices.

NIST SP 800-30 Rev. 1. The gold standard methodology for risk assessments. Free to download from NIST's website and directly referenced by OCR as an acceptable approach.

NIST Cybersecurity Framework (CSF) 2.0. Provides a broader security program structure that incorporates risk assessment as a core function. Useful for organizations that want to align HIPAA compliance with a comprehensive security program.

GRC platforms. For organizations managing risk assessments across multiple locations or business units, dedicated governance, risk, and compliance software automates much of the data collection, risk scoring, and reporting workflow.

💡 Pro Tip

If you are starting from scratch, begin with the HHS SRA Tool to understand the structure and requirements. Once you outgrow it, migrate to a GRC platform that can handle ongoing risk management, automated evidence collection, and integration with your existing security tools.

Penetration testing and vulnerability scanning tools. While not substitutes for a risk assessment, tools like Nessus, Qualys, and Rapid7 provide valuable input data for the technical vulnerability identification step.

Frequently Asked Questions

How often should a HIPAA risk assessment be performed?

The Security Rule does not specify a fixed frequency, but OCR's guidance makes clear that risk analysis is an "ongoing process." Best practice is to conduct a comprehensive assessment annually and update it whenever your environment changes significantly. This includes adding new systems, onboarding new business associates, experiencing a security incident, or undergoing organizational changes like mergers or relocations. The proposed 2025 NPRM would formalize an annual requirement if finalized.

Can we use the free HHS SRA Tool for our risk assessment?

Yes, but with limitations. The HHS SRA Tool is designed for small to mid-size healthcare practices and covers the core requirements of the Security Rule. However, it does not scale well for large organizations with complex environments, multiple locations, or extensive business associate networks. It also does not provide the ongoing risk management and tracking capabilities that larger organizations need.

Does a HIPAA risk assessment require a third-party assessor?

No. HIPAA does not require you to hire an external firm. You can conduct the assessment internally if you have qualified staff. That said, there are practical advantages to using an external assessor: they bring objectivity, specialized expertise, and findings that carry more weight if OCR investigates. Many organizations alternate between internal and external assessments, conducting internal reviews annually with an external assessment every two to three years.

What is the difference between a risk assessment and a gap analysis?

A gap analysis compares your current security posture against a set of requirements (like the HIPAA Security Rule safeguards) and identifies where you fall short. A risk assessment goes further by evaluating threats, vulnerabilities, likelihood, and impact to produce risk ratings that drive prioritization. Think of a gap analysis as asking "What are we missing?" and a risk assessment as asking "What could go wrong, how likely is it, and how bad would it be?" Both are valuable, but only the risk assessment satisfies the Security Rule requirement.

What happens if we do not conduct a risk assessment?

Failure to conduct an adequate risk assessment exposes your organization to OCR enforcement actions, which can result in corrective action plans and civil monetary penalties ranging from $141 to $2,134,831 per violation (2025 adjusted amounts). Beyond regulatory penalties, the absence of a risk assessment means you are operating without a clear understanding of where your PHI is most vulnerable, making a data breach more likely and more damaging when it occurs.