A HIPAA risk assessment is the structured process of identifying, evaluating, and documenting threats to the confidentiality, integrity, and availability of protected health information (PHI), and it sits at the core of compliance with the US Health Insurance Portability and Accountability Act. For covered entities and their business associates, this exercise is not optional housekeeping—the HIPAA Security Rule requires an accurate and thorough analysis of risks to electronic protected health information (ePHI) as a foundational, mandatory safeguard.
This article is general guidance only and is not legal advice.
What a HIPAA risk assessment actually covers
HIPAA applies to covered entities—health plans, healthcare clearinghouses, and most healthcare providers who transmit health information electronically—as well as the business associates who handle PHI on their behalf. A HIPAA risk assessment examines how PHI, and especially ePHI, moves through your organization: where it is created, received, stored, transmitted, and eventually destroyed.
The Security Rule frames its requirements around three categories of safeguards. A useful risk assessment evaluates all three rather than focusing narrowly on technology.
| Safeguard type | Focus | Examples reviewed during assessment |
|---|---|---|
| Administrative | Policies, workforce, and governance | Security management process, workforce training, access authorization, incident response procedures |
| Physical | Facilities and devices | Facility access controls, workstation security, device and media disposal |
| Technical | Systems handling ePHI | Access controls, audit logging, integrity controls, transmission security such as encryption |
Why the HIPAA risk assessment is mandatory, not optional
The Security Rule’s risk analysis requirement is a named, enforceable obligation. The HHS Office for Civil Rights (OCR), which enforces HIPAA, has repeatedly cited the absence of an accurate and thorough risk analysis as a contributing failure in enforcement actions following breaches.
Equally important, the Breach Notification Rule requires organizations to notify affected individuals and HHS OCR when unsecured PHI is compromised—generally without unreasonable delay and no later than 60 days for individual notice. A current risk assessment helps you both prevent incidents and respond credibly when one occurs.
Risk analysis versus risk management
These two terms are often used interchangeably, but they are distinct steps. The risk analysis identifies and rates risks. Risk management is the follow-on work of implementing measures to reduce those risks to a reasonable and appropriate level. A finding without a remediation plan is an incomplete cycle.
Core steps in a HIPAA risk assessment
There is no single mandated template, and the Security Rule is deliberately flexible so that a small clinic and a national health plan can each scale the effort appropriately. Most defensible assessments, however, follow a recognizable sequence.
- Scope the ePHI. Inventory every system, application, device, and third party that creates, receives, stores, or transmits ePHI.
- Identify threats and vulnerabilities. Consider human error, malicious insiders, ransomware, lost devices, natural disasters, and vendor failures.
- Assess current safeguards. Document the administrative, physical, and technical controls already in place.
- Determine likelihood and impact. Rate the probability of each threat exploiting a vulnerability and the resulting harm.
- Assign a risk level. Combine likelihood and impact into a prioritized risk rating.
- Document findings. Record the analysis, the reasoning, and the date—documentation is itself a compliance expectation.
- Remediate and repeat. Feed results into risk management, then review periodically and after material changes.
Where the Privacy Rule fits in
While the risk analysis requirement lives in the Security Rule, a mature assessment also considers Privacy Rule obligations—governing the use and disclosure of PHI and the minimum-necessary standard, which limits access and disclosure to the least information needed for a task. Reviewing access rights against minimum necessary often surfaces meaningful, correctable risk.
Business associates and vendor risk
PHI rarely stays within one organization. Cloud hosting, billing services, IT support, and analytics vendors frequently handle ePHI, and HIPAA requires a Business Associate Agreement (BAA) with each of them. Your HIPAA risk assessment should confirm that BAAs are in place and that vendors maintain safeguards consistent with the risk they carry.
| Party | HIPAA obligation | Assessment question |
|---|---|---|
| Covered entity | Conduct risk analysis; safeguard PHI | Is our analysis current and documented? |
| Business associate | Safeguard ePHI; sign a BAA | Do all vendors have signed BAAs? |
| Subcontractor | Bound through downstream BAA | Do our vendors flow obligations down? |
Common gaps found during a HIPAA risk assessment
Certain weaknesses appear repeatedly across organizations of every size. Watching for them makes the assessment far more productive.
- Incomplete ePHI inventory—shadow systems and personal devices that never made it into scope.
- A one-time analysis that was never revisited after new software, mergers, or remote-work changes.
- Missing or outdated Business Associate Agreements.
- Weak access controls that ignore the minimum-necessary principle.
- Unencrypted portable devices and email transmissions.
- No documented, tested incident response and breach notification procedure.
For the authoritative source on requirements and guidance, review the official materials from the US Department of Health and Human Services at HHS.gov HIPAA.
Frequently asked questions
How often should a HIPAA risk assessment be performed?
HIPAA does not fix a rigid calendar interval, but the risk analysis must remain accurate and current. In practice, organizations review it at least annually and whenever there is a significant change—new systems, a data breach, a merger, or a shift such as expanded remote access.
Who is responsible for conducting it?
The covered entity or business associate is ultimately accountable. Many designate a security officer to lead the work, and some engage external specialists. Responsibility for compliance cannot be outsourced even when the analysis itself is.
Does a HIPAA risk assessment guarantee compliance?
No single document guarantees compliance. The assessment is a required foundation, but it must connect to actual risk management, workforce training, up-to-date policies, and ongoing monitoring to demonstrate a genuine compliance program.
What happens if we skip it?
The absence of an accurate, thorough risk analysis is a frequent finding in HHS OCR enforcement actions and can significantly increase exposure after a breach. Beyond penalties, skipping it leaves real vulnerabilities unaddressed.

Related guides
- HIPAA compliance guide: obligations for covered entities and business associates
- HIPAA Security Rule: administrative, physical, and technical safeguards explained
- HIPAA Privacy Rule: PHI use, disclosure, and the minimum-necessary standard
Our editable HIPAA (US) toolkit gives you ready-to-use risk assessment templates, safeguard checklists, and policy documents you can tailor to your organization. Explore the HIPAA toolkit to start building a documented, defensible compliance program today.

