What Is a HIPAA Risk Assessment?
A HIPAA risk assessment (also called a risk analysis) is a systematic evaluation of potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It is the foundation of your entire HIPAA Security Rule compliance program — not a checkbox.
Under 45 CFR 164.308(a)(1), covered entities and business associates are required to conduct an accurate and thorough assessment of potential risks to ePHI. This is not optional. It is the first and most fundamental requirement of the HIPAA Security Rule — and OCR investigators ask for it first when they audit a breach.
The assessment addresses three objectives:
- Confidentiality — Ensuring ePHI is not disclosed to unauthorized persons.
- Integrity — Ensuring ePHI is not improperly altered or destroyed.
- Availability — Ensuring authorized persons can access ePHI when they need it.
If you cannot produce a documented risk assessment, OCR will assume you have not done any meaningful compliance work — regardless of what else is in place.
In 2023, OCR settled 11 cases citing failure to conduct a comprehensive risk analysis — more than any other single HIPAA violation. The assessment is consistently the first document investigators request during a breach investigation.
Who Needs to Conduct a HIPAA Risk Assessment?
Both covered entities and business associates are required to perform risk assessments. This applies to any organization that handles ePHI — not just hospitals or large health plans.
Covered Entities
Health care providers who transmit health information electronically (any practice using an EHR), health plans, and health information clearinghouses. If you bill insurance or electronically transmit patient data, you are almost certainly a covered entity.
Business Associates
Any vendor, software provider, cloud host, MSP, or consultant that creates, receives, maintains, or transmits ePHI on behalf of a covered entity is a business associate under HIPAA. SaaS companies, data analytics firms, IT support vendors, and even email providers handling patient data all qualify.
If you are a business associate, you are directly liable for HIPAA requirements — including the risk assessment. You cannot rely solely on your covered entity client policies.
If you have ever signed a Business Associate Agreement (BAA), you likely qualify as a business associate and are required to conduct your own risk assessment. Learn more about BAA requirements and who needs one →
Get the free HIPAA compliance checklist
A practical checklist covering all 9 HIPAA safeguard categories. Used by 200+ health tech vendors to close compliance gaps before enterprise deals.
The 9 Steps of a HIPAA Risk Assessment
Follow these steps in order, as outlined in HHS guidance on risk analysis:
- Define the scope of the analysis. Identify all systems, data flows, and processes that create, receive, maintain, or transmit ePHI. Include remote access systems, email, mobile devices, cloud services, and third-party integrations. Document every location where ePHI exists — including paper records that could be digitized.
- Gather data on how ePHI enters, moves through, and leaves your environment. Map data flows from creation to destruction. Identify entry points (web forms, API integrations, email), storage locations (databases, file servers, cloud buckets), and exit points (data sharing, exports, disposal).
- Document the information you have gathered. Create a written record of your scope definition and data flows. This documentation is itself evidence of compliance. OCR investigators will ask for it. Maintain version history — the assessment should reflect the state of your environment at the time it was conducted.
- Identify and document potential threats and vulnerabilities. A threat is a potential cause of harm (a hacker, a malicious insider, a lost laptop). A vulnerability is a weakness that could be exploited (unpatched software, missing encryption, weak access controls). List them separately, then identify the combinations that create actual risk.
- Assess the likelihood that each threat will occur. Consider the probability of each threat exploiting each vulnerability. Use a consistent scale — high, medium, low — and document your reasoning for each rating. OCR expects documented judgment, not guesswork.
- Assess the potential impact of each threat. Estimate the harm if the threat succeeds. Consider regulatory penalties, breach notification costs, reputational damage, operational disruption, and legal liability. A breach at a small health tech company can be existential.
- Determine the overall risk level for each threat-vulnerability pair. Combine likelihood and impact into a risk score. Use a consistent method — a 3x3 matrix (Low/Medium/High likelihood x Low/Medium/High impact) is common — as long as it is documented and repeatable.
- Document the assessment findings and risks. Create a written report of your findings. Include risk levels, the rationale behind each rating, and identified threat-vulnerability pairs. This report is your evidence of compliance and the foundation for your risk management strategy.
- Review and update the risk assessment periodically. Risk assessments are not one-time events. HHS guidance requires ongoing review — at minimum annually, and any time there is a significant change to your systems, workforce, or threat landscape. Document each update with a new version and date.
Common Findings and Remediation Priorities
Based on patterns from OCR enforcement actions, the following issues appear most frequently in HIPAA risk assessments for health tech vendors:
No Risk Assessment Conducted
Documented assessment does not exist or covers less than the full ePHI environment.
Unencrypted Devices / Drives
Laptops, phones, or drives containing ePHI are not encrypted.
Weak or Missing Access Controls
No role-based access, shared credentials, or MFA on systems with ePHI.
No Vendor / BA Risk Assessment
Third-party software and integrations not included in scope or BAA review.
Missing Patch Management
No documented schedule for applying security updates to servers and endpoints.
Out-of-Support Software
Running end-of-life operating systems or software with known exploitable vulnerabilities.
Prioritize findings by risk level. Critical findings should have documented remediation plans within 30 days. High findings within 90 days. Every finding needs an assigned owner, a target date, and evidence of completion.
How Often to Reassess?
The HIPAA Security Rule requires risk assessments to be an ongoing process, not a one-time project. HHS guidance recommends review at least annually, but the actual frequency depends on how quickly your environment changes.
Reassess immediately after any of the following:
- New software or system deployment (especially cloud services or SaaS tools)
- Change in how ePHI is stored, processed, or transmitted
- New data sharing partnerships or integration with third-party APIs
- Significant workforce changes (layoffs, reorganizations, new hires with broad access)
- Any security incident or near-miss, even if no breach occurred
- Acquisition of another company or entry into a new market segment
Each reassessment should document what changed and why the previous assessment is being updated. This creates an audit trail that demonstrates ongoing compliance rather than a point-in-time snapshot.
Annual reassessment is the HHS baseline. If you operate in a high-threat environment (health tech SaaS, data analytics, cloud infrastructure), semiannual reviews are strongly recommended. The cost of an incomplete assessment is far higher than the cost of a more frequent one.
Risk Assessment vs. Gap Analysis: What is the Difference?
These terms are often used interchangeably, but they measure different things:
| Aspect | Risk Assessment | Gap Analysis |
|---|---|---|
| Purpose | Identify and evaluate potential threats to ePHI | Compare current state against a specific compliance standard |
| Question answered | What could go wrong, how likely is it, and what would the impact be? | Where do we fall short of HIPAA requirements? |
| Scope | Broad — covers all threats, vulnerabilities, and risk to ePHI | Focused — checks specific controls against specific requirements |
| Output | Risk register with likelihood, impact, and mitigation plans | Checklist of controls that meet or fail requirements |
| Required by HIPAA? | Yes — 164.308(a)(1) mandates a risk analysis | Not explicitly mandated, but recommended |
| Frequency | Annual minimum, plus after significant changes | Typically done before an audit or major compliance push |
Think of it this way: a gap analysis tells you where you are wrong. A risk assessment tells you what could hurt you. You need both. Start with the risk assessment — it is the regulatory requirement and the strategic foundation. Use a gap analysis to translate findings into remediation tasks.
For a structured gap analysis aligned to the nine HIPAA Safeguard categories, try CompliMed free compliance assessment tool →
Know where you stand before a breach happens.
CompliMed free assessment tool walks you through the full HIPAA compliance checklist and generates a prioritized remediation plan in under 10 minutes.
Start Free Assessment → View PricingGet the free HIPAA compliance checklist
Join health tech vendors who stay ahead of HIPAA requirements. Practical updates, no fluff.