How to Conduct a HIPAA Security Rule Risk Assessment
- Apr 21
- 8 min read
In 2025 alone, the healthcare sector has reported over 311 data breaches, affecting more than 23 million individuals. Nearly 80% of these incidents were caused by hacking and IT-related attacks - many of them preventable.
This is precisely why the HIPAA Security Rule mandates regular risk assessments. Required under §164.308(a)(1), the process helps organizations identify vulnerabilities in how they store, access, and protect electronic protected health information (ePHI).
The HIPAA Security Rule is not a checkbox. It is the foundation of every effective healthcare security program.
With the 2025 HIPAA Security Rule updates introducing stricter safeguards and faster response expectations, covered entities and business associates must act now. A documented, repeatable, and regularly reviewed risk assessment reduces breach exposure, strengthens compliance, and supports long-term security readiness.
This guide walks you through completing a HIPAA Security Rule risk assessment using proven methodologies and the right compliance tools - whether you're building a new program or scaling an existing one.
Key Takeaways
HIPAA risk assessments are systematic processes to identify potential risks to the confidentiality, integrity, and availability of electronically protected health information (ePHI).
HIPAA risk assessments help organizations comply with federal regulations, prevent data breaches, and mitigate security vulnerabilities.
Regular assessments build patient trust, reduce liability, and protect organizational reputation.
The process involves identifying assets, evaluating threats, and implementing strategies to mitigate risks.
Organizations often struggle with resource limitations, lack of expertise, and evolving cybersecurity threats.
A robust HIPAA security risk assessment checklist can streamline the process and ensure compliance.
What is a HIPAA Security Rule Risk Assessment?
A HIPAA Security Rule risk assessment is a required process for identifying and evaluating risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It helps organizations understand where their safeguards fall short, assess the likelihood and impact of potential threats, and prioritize mitigation efforts that reduce breach exposure and support compliance under §164.308(a)(1).
Using a Risk Assessment Methodology
Risk assessments should follow a proven methodology. The most widely accepted approach is NIST SP 800-30, which guides organizations to:
Identify threats and vulnerabilities
Assess the likelihood and impact of each risk
Score and prioritize risks across systems, business units, and third-party vendors
Document and recommend appropriate mitigation actions
NIST SP 800-30 provides the how - but not the what. To complete the process, organizations must also select a controls framework that defines the specific security requirements they're measuring against.
Selecting the Right Controls Framework
HIPAA does not mandate a specific controls framework. Instead, it requires a tailored, justifiable approach based on your organization's size, risk profile, and regulatory exposure.
If you're starting from scratch:
NIST SP 800-66r2 is the official HIPAA Security Rule implementation guide, mapping requirements to actionable safeguards.
The HHS/ONC Security Risk Assessment (SRA) Tool is a free, guided option designed for small to mid-sized healthcare organizations.
If you're managing a broader cybersecurity program:
NIST SP 800-53 provides a comprehensive federal controls set suited to complex environments.
The NIST Cybersecurity Framework (CSF) offers a high-level, risk-aligned structure used across industries.
HITRUST CSF integrates HIPAA, NIST, ISO, and other standards into a certifiable control set commonly used in vendor risk programs.
Whichever framework you choose, crosswalk back to NIST SP 800-66r2 to confirm alignment with HIPAA-specific requirements.
Summary of Control Frameworks
Framework | Purpose |
|---|---|
NIST SP 800-66r2 | Official HIPAA Security Rule implementation guidance |
HIPAA SRA Tool | HHS-provided tool for small to mid-sized HIPAA risk assessments |
HITRUST CSF | Commercial framework integrating HIPAA, NIST, ISO, and more |
NIST SP 800-53 | Detailed federal control catalog for high-assurance environments |
NIST Cybersecurity Framework (CSF) | Strategic framework for managing cybersecurity risk across industries |
What Are the 2025 HIPAA Security Rule Updates?
The 2025 HIPAA Security Rule updates mark a significant shift - moving from flexible "addressable" safeguards to mandatory, standardized cybersecurity requirements. These changes align with the HHS Cybersecurity Performance Goals and introduce stricter expectations around ePHI system inventory, multi-factor authentication (MFA), patch management, and third-party oversight.
How to Conduct a HIPAA Security Rule Risk Assessment: Step by Step
Step 1: Identify and Scope All ePHI Systems
The foundation of any HIPAA Security Rule risk assessment is a clear understanding of where ePHI lives, moves, and is accessed across your organization.
Inventory all systems - applications, devices, and third-party services that create, receive, maintain, or transmit ePHI. This includes cloud platforms, on-premise infrastructure, medical devices, mobile apps, and legacy systems.
Map data flows to document how ePHI moves between departments, systems, and external partners. Don't overlook shadow IT or unmanaged endpoints.
Catalog all vendors and business associates involved in handling ePHI - including SaaS tools, billing processors, and IT service providers.
Step 2: Assess Current Controls and Identify Gaps
Once your ePHI environment is defined, evaluate whether your current safeguards meet HIPAA Security Rule requirements - covering administrative, physical, and technical controls as outlined in 45 CFR §§ 164.308, 164.310, and 164.312.
Select a controls framework - such as NIST SP 800-66r2, HITRUST CSF, or the HIPAA SRA Tool - to evaluate your program against recognized standards.
Use structured assessment methods - questionnaires, stakeholder interviews, system owner surveys, and documentation reviews - to gauge control effectiveness.
Apply a maturity model where possible to evaluate not just whether a control exists, but how well it is documented, implemented, and measured.
Collect supporting evidence - policies, configurations, training records, access logs, and screenshots - to validate each control.
Review third-party safeguards by examining vendor contracts, certifications, and past assessments.
Step 3: Analyze, Prioritize, and Document Risks
Once control gaps and vulnerabilities are identified, translate them into formal risk statements and log them in a centralized risk register.
Apply a risk analysis methodology - such as NIST SP 800-30 - to evaluate each risk consistently.
Assess likelihood and impact - determine how probable it is that a threat exploits a given vulnerability, and what the resulting impact on ePHI would be.
Score each risk using a standardized model and assign a qualitative rating - high, medium, or low.
Document each risk in a register, capturing the affected systems, threat source, control gap, risk owner, and mitigation plan.
Prioritize remediation based on risk severity and your organization's risk tolerance.
Step 4: Implement and Track Mitigations
Once risks are prioritized, take action to reduce them to acceptable levels. Mitigation efforts should be risk-based, time-bound, and clearly documented.
Assign mitigation tasks to responsible owners or teams with defined deadlines.
Implement the appropriate safeguards - technical, administrative, or physical - based on the nature of each risk. Common examples include multi-factor authentication (MFA), encryption, patch management, policy updates, and staff training.
Validate effectiveness through testing, evidence collection, or independent review - not just task completion.
Update the risk register to reflect current status, completed actions, and any residual risk.
Step 5: Validate, Review, and Maintain Documentation
HIPAA risk management is not a one-time exercise. Organizations must review their risk posture regularly and ensure documentation remains accurate, complete, and audit-ready.
Validate that implemented safeguards are working as intended - conduct follow-up testing or independent reviews where needed, not just at assessment time.
Review and update your risk assessment at least annually, or whenever significant changes occur - new systems, breaches, mergers, or vendor onboarding.
Test your incident response and contingency plans to confirm they meet current HIPAA expectations and reflect your actual environment.
Retain all risk analysis, mitigation, and training documentation for a minimum of six years, as required under the HIPAA records retention standard.
Keep records organized and audit-ready - with clearly assigned owners, version history, and up-to-date status tracking.
HIPAA Security Risk Assessment Checklist
A HIPAA risk assessment checklist is not one-size-fits-all. Every organization must evaluate its own systems, workflows, and risk exposure against the specific requirements of the HIPAA Security Rule - there is no universal template that covers every environment.
That said, a well-structured checklist should consistently cover:
Scoping and ePHI system inventory
Current controls evaluation across administrative, physical, and technical safeguards
Threat and vulnerability identification
Likelihood and impact scoring for each risk
Risk register documentation with assigned owners and mitigation plans
Evidence collection and retention
Vendor and business associate oversight
Review and reassessment scheduling
The distinction between a risk assessment checklist and an audit checklist is worth noting. A risk assessment checklist guides your internal process - prompting you to identify, evaluate, and address gaps. An audit checklist reflects what an external auditor will look for - whether required controls are in place, documented, and demonstrably effective. Building your internal checklist with audit expectations in mind will reduce friction when a formal review occurs.
HIPAA Risk Assessment Template
There is no universal HIPAA risk assessment template - and that's by design. The HIPAA Security Rule requires organizations to tailor their assessments to their own environment, risk profile, and operational complexity. A template used by a 10-person clinic will look very different from one used by a regional health system or a multi-vendor business associate.
A practical risk assessment template should include the following components:
Scope definition - systems, locations, and business units covered
ePHI inventory - all systems, devices, and third parties that create, receive, maintain, or transmit ePHI
Threat and vulnerability log - identified risks with descriptions and sources
Likelihood and impact ratings - scored using a consistent methodology such as NIST SP 800-30
Risk register - centralized documentation of all risks, owners, and mitigation status
Controls mapping - current safeguards mapped against HIPAA requirements
Evidence log - supporting documentation linked to each control or finding
Review schedule - dates for reassessment and follow-up
Starting points worth using:
The HHS/ONC Security Risk Assessment (SRA) Tool is a free, structured option built specifically for HIPAA compliance - a practical starting point for smaller organizations or those building a program from scratch.
The NIST SP 800-66r2 implementation guide provides a more detailed framework for organizations that need to align HIPAA requirements with a broader cybersecurity program.
Use these resources to build a template that reflects your organization's actual environment - then layer in the workflows, ownership, and documentation practices needed to make it repeatable and audit-ready.
How Plexteq Can Help
Navigating HIPAA compliance tools and frameworks can be complex - especially when requirements vary by organization size, risk profile, and technical environment. Plexteq brings deep experience working with healthcare organizations across compliance programs, helping teams select, implement, and operationalize the right tools for their needs.
Whether you're building a risk assessment program from scratch or strengthening an existing one, Plexteq can help you move from complexity to clarity.
Frequently Asked Questions
What is the difference between a HIPAA Security Rule risk assessment and a HIPAA privacy assessment?
A HIPAA Security Rule risk assessment focuses on identifying risks to electronic protected health information (ePHI), addressing how it is stored, accessed, and protected. It deals with technical, physical, and administrative safeguards under 45 CFR Part 164 Subpart C.
A HIPAA privacy assessment, on the other hand, evaluates how protected health information (PHI) is used and disclosed under the Privacy Rule. It addresses policies, procedures, and workforce access related to patient rights, notice of privacy practices, and permissible disclosures.
How often should a HIPAA Security Rule risk assessment be conducted?
HIPAA requires risk assessments to be reviewed and updated regularly. A best practice is at least annually or when systems, vendors, or threats change. The 2025 updates emphasize an ongoing, living process - not a one-time task.
What systems must be included in a HIPAA risk assessment?
Any system that creates, receives, maintains, or transmits ePHI must be assessed. This includes EHRs, cloud platforms, mobile and medical devices, SaaS tools, backups, and third-party services. Shadow IT and legacy systems must also be considered.
How do HIPAA risk assessments apply to third-party vendors and business associates?
Covered entities must evaluate the security of business associates handling ePHI. This involves reviewing risk assessments, certifications, and contracts. The 2025 rule proposes formalizing third-party risk assessments as a requirement.
What evidence supports HIPAA risk assessment findings?
Evidence includes policies, screenshots, audit logs, access records, training documentation, incident response plans, encryption settings, and third-party attestations. Each safeguard should be supported with proof of effectiveness.
What are common HIPAA risk assessment mistakes?
Treating it as a one-time checklist
Not documenting scope, ownership, or evidence
Leaving out ePHI systems or vendors
Using generic templates not aligned with HIPAA
Skipping reassessments after changes
Failing to score or prioritize risks
Which cybersecurity frameworks support HIPAA compliance?
Frameworks like NIST SP 800-66r2, HITRUST CSF, and CIS Controls help organizations assess and implement safeguards for ePHI. They support structured, repeatable compliance processes.
Why is documentation important for HIPAA risk assessments?
Documentation proves compliance under §164.316. HIPAA requires keeping risk assessment records for six years. Clear, complete records show that risks are identified, addressed, and regularly reviewed.
