If you run a U.S. healthcare company (or are a business associate) and transmit data electronically, you must comply with HIPAA security and data privacy regulations. Complying with HIPAA’s Security Rule helps you protect patients’ ePHI (electronic protected health information) with risk-assessed safeguards.
Below, we walk through what a HIPAA risk assessment covers, why it matters, and how to conduct your own.
What is a HIPAA risk assessment?
A HIPAA risk assessment is a process in which organizations identify risks and vulnerabilities that could affect ePHI protection. It focuses on protecting the confidentiality, integrity, and availability of this data by testing recommended safeguards.
The Department of Health and Human Services (HHS) refers to the process as a risk analysis, but risk assessment is the more common (and interchangeable) term.
Risk assessments form a core part of HIPAA’s Security Rule and help entities to understand if ePHI is exposed, what potential risks might be, and if their safeguards are sufficient.
Why HIPAA risk assessments matter.
HIPAA risk assessments support ongoing compliance and help organizations to keep risks visible. Regular assessments help entities spot security gaps and vulnerabilities before they cause incidents. Organizations that assess ePHI risks consistently are better positioned when new threats emerge.
Documented findings are what make these benefits real, by showing where ePHI resides, how it is used, and where exposure is most likely.
With this data, entities can take immediate action to secure gaps. Risk assessments also prioritize issues discovered based on the likelihood of threats occurring, the scope of potential impact, and how severe an incident might be.
Ultimately, regular risk assessments help companies become more audit-ready. With a clear assessment trail and proof of actions taken, they can show auditors that they take ePHI risks seriously.
Who needs to conduct a HIPAA risk assessment?
Any individuals or companies working with ePHI must conduct HIPAA risk assessments. Those working directly in the sector who handle ePHI are known as covered entities, and those that work on behalf of these companies are business associates.
According to the HHS, covered entities include:
- Healthcare providers (such as doctors, dentists, nursing homes, and pharmacies)
- Healthcare clearinghouses
- Health plans (such as insurance companies, government programs, and HMOs)
Business associates, meanwhile, are external firms or individuals that handle ePHI on behalf of covered entities. Examples include:
- Healthcare vendors
- Technology partners
- Attorneys and legal firms
- Consultancies
- CPA firms
- Administrators
- Billing firms
- Vendors
- Cloud providers
Regardless of organization size, if you handle or process ePHI, HIPAA risk management is vital – which includes clearly documenting the steps you take.
What should a HIPAA risk assessment cover?
A HIPAA risk assessment must account for all ePHI created, received, maintained, and transmitted by an organization. That means comprehensively analyzing and documenting all systems that touch this data – such as cloud environments, email and operating servers, endpoints, Electronic Health Record (EHR) platforms, data backups, and other devices connected to their infrastructure.
Beyond locations, organizations must ensure an assessment covers workflows that handle and process this information. For example, standard processes such as billing and invoicing, new patient intake, insurance claims, vendor access and BAAs (Business Associate Agreements), telehealth intake, and all data transfers should be considered.
When assessing scope, it’s important to remember where threats are most likely to come from. ePHI is at risk from external malicious attacks, human error, configuration and system failures, third-party failures, and even insider misuse. Cases of the latter have led to costly settlements:
“On May 28, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced an $800,000 settlement with a large Florida-based health care provider over potential violations of the HIPAA Security Rule stemming from insider misuse of access credentials.”
How to conduct a HIPAA risk assessment.
To conduct a HIPAA risk assessment, you must follow six key steps. You must identify where ePHI lives and moves, threats and vulnerabilities that may affect it, and review any current safeguards. Then, you must determine the likelihood of risks occurring and their potential impacts, prioritize remediation and assign responsibilities, and document all findings.
Identify where ePHI lives and moves.
Before any investigative action, you must identify and document all locations, systems, devices, applications, individual users, workflows, and third-party vendors that come into contact with ePHI. That means accounting for physical and virtual environments across the board.
Crucially, consider where ePHI is initially created, stored, accessed and amended, transmitted, shared, and otherwise handled. Even if it is briefly held on an email server, that location still counts as an ePHI checkpoint.
It’s important to map out ePHI locations first so that it is easier to review and amend the process later on.
Identify threats and vulnerabilities.
Now, you must identify potential threats and vulnerabilities that hypothetically put your ePHI at legitimate risk.
Threats are actions, malicious or otherwise, that expose and exploit weaknesses. Vulnerabilities are those weaknesses – infrastructure gaps that allow breaches to take place.
Typical threats include direct cyberattacks, human error, and vendor failures. Users having unauthorized access to ePHI, or loss or damage caused to devices or endpoints, also count as threats.
Vulnerabilities, meanwhile, include poor or weak access controls (such as easily guessable passwords or a lack of multi-factor authentication). Others include legacy systems, devices, and endpoints without patches or security updates, and insufficient cybersecurity policies.
During an assessment, a risk should connect a potential threat with a specific vulnerability. For example, a lack of phishing protection or training programs could give attackers easy access to ePHI.
Review current safeguards.
You must now assess whether or not your existing controls are sufficient to protect ePHI, as per HIPAA guidelines.
That means taking steps to review three types of safeguards – administrative, physical, and technical.
- Administrative safeguards include security training, data access management, incident protocols, and contingency planning.
- Physical safeguards include workstation policies, access controls into zones where ePHI is handled, security cameras, and access logging.
- Technical safeguards include access controls and authentication, auditing software, and transmission protections.
Suggested controls to assess at this stage include your access management plan, any data encryption standards in place, audit logging, training and development programs, incident response plans, and emergency data backups.
We recommend vulnerability scanning and penetration testing, as part of an ongoing program. Neither is explicitly required under the current Security Rule, but the proposed Security Rule updates would mandate scanning every six months and annual penetration testing.
Determine likelihood and impact.
Determining how likely a threat is, and what its potential impact may be, helps you build your findings into a risk profile that’s ready to prioritize.
By determining likelihood, you consider how probable it is that a threat may exploit a very specific vulnerability. Is, for example, a misconfiguration likely to be easy to spot? What could an attacker access if they exploit it?
Impact, meanwhile, gives insight into what effects a threat could have on ePHI, ongoing operations, HIPAA compliance, and your reputation and continuity. Even if a threat appears unlikely, it is crucial to consider the full ramifications of exposure.
To prioritize risks based on likelihood and impact, use a risk ratings scale. This must be consistent across everything discovered and clearly based on evidence.
Prioritize remediation and assign ownership.
After investigation, it is time to take action and improve your cybersecurity posture.
Start by prioritizing risks with the highest ratings – i.e., those that are deemed most severe, likely, and detrimental to the business.
Carefully outline the expectations for remediation in each case. Decide who is responsible for remedying the risk, how long you expect remediation to take, and what next steps should be.
It’s important to track remediation, for example, by applying timed checkpoints for future review. Circling back to check if remediation attempts have been made, and whether or not they have been successful, helps to build more proactive, continuous compliance. A risk assessment must never be a one-off exercise.
Document findings and reassess regularly.
After each assessment, clearly document findings to support an ongoing, continuous program. You must include the precise scope of ePHI, any specific methodologies used, how you have calculated risk ratings, and any evidence you have found. In addition, always document remediation plans and recommendations.
You must always review and update risk assessments after every significant change affecting the ePHI you hold and process. That means reviewing after changes to systems and endpoints, vendor relationships and new intakes, workflows, and technologies used.
A continuous reassessment system means your risk picture and posture are always current, relevant, and defensible in the event of an audit.
Where HIPAA risk assessments commonly go wrong.
Common HIPAA risk assessment mistakes include incomplete ePHI mapping, treating assessments as simple checklists, weak process documentation, and failing to assign owners or remediation tasks.
It is crucial to carefully map out everywhere that ePHI touches within your network, and across vendors. Otherwise, you risk leaving important areas completely out of scope before assessing risk, meaning there could be weaknesses and breach opportunities unaccounted for.
You must also avoid treating assessments like surface-level checklist exercises. While using checklists can support the process, merely checking boxes to get assessments out of the way can lead to some risks getting under-analyzed.
Weak or incomplete documentation will not support your cybersecurity posture in the event of an audit. With gaps in your records, it’s difficult to prove how you identified risks, how you scored them, and what you did to address them.
Finally, with no clear assigned owner, deadline, or remediation tracking in place, your findings lose value. Always follow them up with targeted actions.
How checklists and tools support the assessment.
Using checklists and tools can help you carry out risk assessments more confidently and comprehensively. However, they shouldn’t be relied upon completely for analysis – we recommend using a handful of tools to support a more efficient process.
With a HIPAA compliance checklist, it’s easier to organize each step of the assessment and to avoid missing important control areas. For example, you may use a list to ensure each ePHI location is accounted for.
The ideal checklist should, beyond ePHI inventory, cover safeguard reviews, threat and vulnerability hunting, risk scoring and prioritization, and remediation tracking for future review.
In addition to a checklist, we recommend using the ONC Security Risk Assessment Tool. This application is designed for small to medium healthcare businesses that need guidance through risk analysis. It’s a useful way to double-check the steps you take.
In fact, tools like these are most useful as a complementary support system. Ideally, use them to record and document findings, assign tasks and workflows, and monitor remediation and review progress over time.
How VikingCloud supports HIPAA risk assessment.
Designing, conducting, and documenting a risk assessment thorough enough to satisfy auditors is demanding. Most covered entities and business associates don’t have the internal resources to do it consistently. That’s where a compliance partner makes a real difference.
Third-party assessors bring objectivity that internal teams can’t replicate, and practical expertise is shaped by real OCR enforcement cases, not just framework checklists. The right partner also brings technical depth to your assessments that might otherwise be difficult to attain on your own.
Partnering with an experienced assessor also means you can efficiently move from handling findings to implementing documented remediation. That’s more time spent remedying faults rather than juggling the administration.
VikingCloud offers HIPAA compliance services to support covered entities and business associates. With vulnerability scanning, risk management, penetration testing, and data privacy compliance programs available, contact us to learn more about how we can support your HIPAA needs.
FAQs
Is a HIPAA risk assessment the same as a HIPAA risk analysis?
Yes, the terms are interchangeable. “Risk analysis” is used in official Security Rule guidance from HHS and OCR, and “risk assessment” is more commonly used in the wider market.
Who needs to complete a HIPAA risk assessment?
All covered entities and business associates in U.S. healthcare that create, receive, maintain, and transmit ePHI must complete HIPAA risk assessments. It is a compliance requirement as part of the HIPAA Security Rule.
How often should a HIPAA risk assessment be completed?
You must always carry out a HIPAA risk assessment after every significant change to your systems, processes, vendors, workflows, or threats. Otherwise, there is no mandated frequency.
Can a checklist satisfy HIPAA risk assessment requirements?
A checklist can help you manage HIPAA risk assessment tasks, but it is not sufficient to satisfy Security Rule requirements. HIPAA requires that you carefully document threat and vulnerability analysis, including a record of likelihood and impact, and what safeguards you have in place.
What happens if a HIPAA risk assessment is missing or incomplete?
A missing or incomplete HIPAA risk assessment leaves organizations open to security breaches and OCR enforcement action. Both can lead to financial, reputational, and legal ramifications.
Related Blogs
Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.

The Franchise Uptime Paradox: Every Location’s Downtime Becomes Your Brand’s Problem




.png)