HIPAA Risk Assessment Checklist: 12 Areas Every Practice Must Evaluate

Why a HIPAA Risk Assessment Is Not Optional

The HIPAA Security Rule does not suggest that covered entities and business associates conduct a risk assessment. It requires it. Under 45 CFR § 164.308(a)(1), organizations that create, receive, maintain, or transmit electronic protected health information (ePHI) must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to that information. Failure to do so is one of the most frequently cited findings in HHS Office for Civil Rights (OCR) enforcement actions.

Yet in practice, many healthcare organizations treat the risk assessment as a one-time checkbox exercise rather than an ongoing, documented process. That approach leaves serious gaps — and serious liability. The checklist below is designed to give compliance managers and administrators a structured framework for evaluating all twelve critical domains that a defensible HIPAA risk assessment must address.

If your organization also needs broader support, our team provides Federal and SLED risk assessments and can assist healthcare organizations in building a rigorous, audit-ready risk program from the ground up.

The 12 Critical Areas of a HIPAA Risk Assessment

1. Scope and ePHI Inventory

Before you can assess risk, you must know exactly where ePHI lives. This means identifying every system, application, device, and data flow that touches protected health information — including cloud platforms, mobile devices, fax servers, backup systems, and third-party integrations. An incomplete inventory is the single most common reason a risk assessment fails under OCR scrutiny.

• Document all systems and media that store or transmit ePHI
• Map data flows across internal networks and to external vendors
• Identify ePHI in non-obvious locations such as email archives, EHR audit logs, and billing systems

2. Threat Identification

A valid HIPAA risk assessment requires identifying reasonably anticipated threats to ePHI confidentiality, integrity, and availability. These threats must be grounded in your specific operational environment, not copied from a generic template.

• Internal threats: employee error, unauthorized access, disgruntled insiders
• External threats: ransomware, phishing, third-party breaches
• Environmental threats: natural disasters, power failures, hardware failures

3. Vulnerability Assessment

Once threats are catalogued, you must evaluate existing vulnerabilities that could be exploited. This is where technical scanning tools, configuration reviews, and process audits converge. Unpatched systems, weak authentication practices, and misconfigured cloud storage are perennial findings in healthcare environments.

• Review patch management status across all ePHI-touching systems
• Evaluate authentication controls, including multi-factor authentication adoption
• Assess network segmentation and firewall configurations

4. Current Controls Evaluation

Document every administrative, physical, and technical safeguard currently in place. The goal is to determine whether existing controls adequately reduce identified risks to a reasonable and appropriate level. Controls that exist on paper but are not enforced in practice will not satisfy an OCR auditor.

• Review written policies and procedures for Security Rule compliance
• Verify that documented controls are actually implemented and enforced
• Assess effectiveness of current security awareness training

For organizations that need help building enforceable control frameworks, our Compliance Program Development service helps establish the policies, procedures, and accountability structures that hold up under audit.

5. Likelihood and Impact Analysis

Each identified risk must be assigned a likelihood rating and an impact rating. Multiplying these values produces a risk level — typically categorized as high, medium, or low — that drives prioritization of your remediation efforts. OCR expects this analysis to be explicit, defensible, and documented.

• Use a consistent, documented methodology for scoring likelihood and impact
• Apply ratings based on evidence, not intuition
• Ensure all high-risk findings are addressed in your remediation plan

6. Physical Safeguards Review

Physical security is frequently underweighted in HIPAA risk assessments. Workstations displaying ePHI, unlocked server rooms, and inadequate visitor controls are all citable violations. Every facility where ePHI is accessed or stored must be evaluated.

• Assess workstation use policies and physical positioning of screens
• Review access controls for server rooms, data closets, and records storage
• Evaluate visitor management procedures and facility security logs

7. Technical Safeguards Review

The Security Rule's technical safeguard requirements cover access control, audit controls, integrity controls, and transmission security. Each must be evaluated individually. This is also where endpoint security and encryption practices receive scrutiny.

• Verify unique user identification and automatic logoff configurations
• Review audit logging capabilities and log review procedures
• Confirm encryption of ePHI in transit and at rest

For a deeper look at protecting devices that access ePHI, our post on endpoint security fundamentals provides practical guidance applicable to healthcare environments.

8. Administrative Safeguards Review

Administrative safeguards form the backbone of your HIPAA compliance program. This domain covers security management, workforce training, access management, and contingency planning. It is also where most organizations have the most ground to cover.

• Confirm that a Security Officer has been designated and is actively functioning
• Review workforce training records for currency and completeness
• Evaluate the sanction policy for workforce members who violate security policies
• Assess the contingency plan, including data backup and disaster recovery procedures

9. Business Associate Management

Business associates are a significant and frequently exploited vector for healthcare data breaches. Your risk assessment must account for the ePHI that flows to and from every business associate — including cloud vendors, billing companies, IT service providers, and transcription services.

• Verify that current Business Associate Agreements (BAAs) are in place and contain all required provisions
• Assess the security posture of high-risk business associates
• Document the data flows between your organization and each business associate

Understanding how third-party risk compounds your overall exposure is essential. Our resource on the growing threat of data breaches examines how supply chain and vendor relationships create cascading risk.

10. Breach History and Incident Response Capability

Your organization's past incidents are data points that belong in your risk assessment. Prior breaches, near-misses, and security incidents reveal systemic vulnerabilities that may still be present. Equally important is evaluating whether your incident response plan is adequate to detect, contain, and report a breach within HIPAA's 60-day notification deadline.

• Review logs of prior security incidents and breaches, including small-scale events
• Evaluate the incident response plan for completeness and currency
• Confirm that breach notification procedures are documented and staff are trained on them

11. Data Loss Prevention and Information Controls

Healthcare organizations increasingly rely on email, cloud collaboration platforms, and mobile devices to access ePHI — all of which expand the attack surface. Data loss prevention (DLP) controls help detect and block unauthorized exfiltration of protected information before a breach occurs.

• Assess DLP capabilities across email, cloud storage, and endpoint environments
• Evaluate policies governing use of personal devices to access ePHI
• Review controls on printing, copying, and removable media use

For a detailed look at DLP strategy, our post on understanding data loss prevention covers the technical and policy dimensions that matter most in regulated environments.

12. Risk Remediation Planning and Documentation

A risk assessment without a remediation plan is a compliance dead end. OCR expects organizations to implement security measures sufficient to reduce identified risks to reasonable and appropriate levels. Every high and medium risk finding must be assigned an owner, a remediation action, and a target completion date. This plan must be documented and updated regularly.

• Develop a formal risk remediation plan with prioritized action items
• Assign ownership and deadlines for each remediation task
• Document risk acceptance decisions for any risks that cannot be immediately remediated
• Establish a schedule for reassessing risks at least annually or following significant operational changes

Common HIPAA Risk Assessment Failures to Avoid

In working with healthcare organizations across practice sizes, we consistently observe the same failure patterns. Awareness of these pitfalls helps compliance managers avoid the most costly mistakes before OCR arrives at the door.

1. Treating the risk assessment as a one-time project. HIPAA requires ongoing, periodic reassessment. New systems, new vendors, and new threat landscapes all trigger the need for updated analysis.
2. Using a generic template without customizing it to your environment. OCR reviewers can identify boilerplate assessments quickly. Your documentation must reflect your actual systems, threats, and operational context.
3. Failing to document your methodology. The risk assessment must be reproducible and defensible. If you cannot explain how you arrived at your risk ratings, the assessment will not survive scrutiny.
4. Excluding non-electronic PHI considerations. While the Security Rule governs ePHI, a comprehensive risk posture must account for paper records, verbal disclosures, and other PHI formats addressed under the Privacy Rule.
5. Ignoring the remediation follow-through. An assessment that identifies risks but produces no documented remediation activity is arguably worse than no assessment at all — it demonstrates awareness without action.

Supporting Your Risk Assessment with the Right Resources

For healthcare administrators who need a structured starting point, our HIPAA Privacy and Security Compliance guide for healthcare administrators provides a practical, role-specific resource that complements a formal risk assessment engagement. Organizations that need a complete, ready-to-use documentation framework can also benefit from our HIPAA Compliance Documentation Toolkit, which includes the policy templates, forms, and risk assessment documentation structures that auditors expect to see.

Healthcare organizations navigating HIPAA alongside other regulatory obligations — particularly those operating in dual-regulated environments — may also benefit from fractional security leadership. Our Regulatory vCISO Services provide ongoing compliance leadership without the overhead of a full-time hire.

Take the Next Step Toward a Defensible HIPAA Risk Assessment

A well-executed HIPAA risk assessment is not just a regulatory obligation — it is the foundation of a mature healthcare security program. If your organization has not conducted a documented, methodology-driven risk assessment recently, or if your last assessment would not hold up under OCR review, now is the time to act. Request a quote from Cleared Systems to speak with our compliance team about conducting or strengthening your HIPAA risk assessment program. We work with practices, health systems, and business associates to build documentation that is both operationally practical and audit-ready.