Compliance Guide

HIPAA Risk Assessment: What It Is and How to Actually Do One

Q: Is a HIPAA risk assessment required?

Yes. The HIPAA Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits. This is a required (not addressable) specification — it cannot be substituted.

Q: How often must you do a risk assessment?

HIPAA requires the risk assessment to be conducted as needed to keep security measures current. OCR guidance specifies that this means at least annually and after any significant change in operations, technology, workforce, or physical environment — such as a major EHR upgrade, office move, acquisition, or new service line. A risk assessment conducted three or more years ago is generally considered inadequate by OCR.

Q: What is the difference between a risk assessment and a risk analysis?

HIPAA uses 'risk analysis' (§ 164.308(a)(1)(ii)(A)) to mean the process of identifying threats, vulnerabilities, likelihood, and impact — the assessment itself. 'Risk assessment' is often used colloquially to mean the same thing. The companion requirement, 'risk management' (§ 164.308(a)(1)(ii)(B)), refers to implementing security measures to reduce identified risks to a reasonable level. In practice, the terms risk analysis, risk assessment, and security risk assessment (SRA) are used interchangeably.

Q: Can I do my own HIPAA risk assessment?

Yes. HHS provides a free Security Risk Assessment (SRA) Tool available at healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool. The tool walks through the required risk analysis process and generates a report. However, complex organizations with large ePHI environments may benefit from engaging a HIPAA security consultant. The completed assessment must be documented regardless of who conducts it.

Q: What does OCR look for in a risk assessment?

OCR examines whether the risk assessment: (1) covers all ePHI regardless of format or location, (2) identifies realistic threats (including ransomware, human error, device theft, and insider threats), (3) identifies vulnerabilities that could be exploited, (4) assesses the likelihood of occurrence for each threat-vulnerability pair, (5) assesses the potential impact of a breach, (6) documents existing security controls and residual risk, and (7) was acted upon through a risk management plan. OCR will request documentation of the assessment in virtually every enforcement investigation.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: The HIPAA Security Rule requires every covered entity and business associate to conduct a documented risk analysis under 45 CFR § 164.308(a)(1). It's the most frequently cited missing document in OCR enforcement. A risk assessment also reveals your vendor relationships — and once you know which vendors have ePHI access, you'll know which ones need Business Associate Agreements.

The Security Rule's risk analysis requirement is the foundation of HIPAA security compliance. Without it, you cannot know what you need to protect, where your vulnerabilities are, or whether your existing controls are adequate. And without documentation, OCR has no way to verify compliance — making it the most commonly cited deficiency when investigations arise.

What Is a HIPAA Risk Assessment?

A HIPAA risk assessment (formally called a "risk analysis" in the Security Rule) is a systematic process for identifying and documenting potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that your organization creates, receives, maintains, or transmits. It is required by 45 CFR § 164.308(a)(1)(ii)(A) as a required (not addressable) specification.

The risk assessment does not assess whether you are "HIPAA compliant" in a general sense — it specifically assesses the security risks to ePHI in your environment. The output is a documented risk register that identifies specific threats and vulnerabilities, their likelihood, their potential impact, and your existing controls — resulting in a risk level (high/medium/low or a numeric score) for each risk item.

Who Must Conduct a Risk Assessment?

All covered entities and all business associates that create, receive, maintain, or transmit ePHI are required to conduct a risk analysis. This is not limited to large organizations. A solo therapist using an EHR, a billing company processing electronic claims, and a cloud storage provider hosting patient data are all required to conduct risk assessments.

What the Risk Assessment Must Cover

HHS's guidance on risk analysis specifies that a complete and thorough risk assessment must include:

Scope: All ePHI your organization creates, receives, maintains, or transmits — regardless of where it is stored (on-premises servers, cloud, laptops, mobile devices, backup tapes)
Threat identification: All potential threats to ePHI — both reasonably anticipated and relevant to your environment (ransomware, phishing, insider threats, device theft, natural disasters, vendor breaches)
Vulnerability identification: Weaknesses in your systems, processes, or workforce that could be exploited by identified threats (unpatched software, weak passwords, lack of encryption, inadequate training)
Likelihood of occurrence: An assessment of how likely each threat-vulnerability combination is to occur, given your current environment and controls
Potential impact: An assessment of the magnitude of harm if the threat-vulnerability combination results in a breach — considering confidentiality, integrity, and availability
Current security controls: Documentation of existing controls that address each identified risk
Risk level determination: A determination of the level of risk (high/medium/low or numeric) based on the combination of likelihood and impact, considering existing controls

The 6-Step Risk Assessment Process

Step 1: Define Scope

Document all the ePHI your organization handles. Where does it live? On-premises servers, cloud environments, EHR systems, email, laptops, mobile devices, backup systems, portable drives? Map the data flows: where does ePHI enter your organization, how does it move through systems, where does it leave, and where is it stored? A data flow diagram is helpful but not required. The scope must be comprehensive — OCR has penalized organizations for assessments that failed to cover all ePHI environments.

Step 2: Identify ePHI and Its Locations

Create an inventory of all systems, applications, and devices that store or transmit ePHI. This should include your EHR, billing system, practice management software, email (if used for patient communication), voicemail, fax servers, cloud storage, backup systems, and any portable devices (laptops, tablets, smartphones) used by staff who access ePHI. This step often reveals vendor relationships that require BAAs — any vendor who stores your ePHI is a business associate.

Step 3: Identify Threats and Vulnerabilities

For each ePHI location, identify relevant threats — external (ransomware, hackers, phishing) and internal (accidental disclosure, unauthorized access by employees, device loss). Then identify vulnerabilities: weaknesses in your technical environment (outdated software, weak passwords, unencrypted laptops), physical environment (unlocked server rooms, unattended workstations in patient areas), and administrative processes (inadequate training, no workforce access review). HHS's free SRA Tool provides a structured threat/vulnerability library to work from.

Step 4: Assess Current Controls

Document the security controls already in place for each identified threat-vulnerability pair. Are you using encryption? Multi-factor authentication? Automatic logoff? Regular software patching? Endpoint security software? Workforce access reviews? This step requires honest assessment — documenting controls that are planned but not yet implemented will not satisfy OCR's requirements.

Step 5: Determine Risk Level

Combine likelihood and impact to determine a risk level for each identified risk. A common approach is a 3×3 or 5×5 risk matrix: low/medium/high likelihood × low/medium/high impact = overall risk level (low/medium/high or scores like 1–9 or 1–25). Existing controls reduce the residual risk level. Document the rationale for each risk level assignment. High-risk items require priority attention in your risk management plan.

Step 6: Document Everything

The risk assessment must be documented in writing. OCR will request this document in virtually every HIPAA investigation. The documentation should be retained for 6 years per 45 CFR § 164.530(j). Once complete, the risk assessment feeds directly into your risk management plan — the companion requirement under § 164.308(a)(1)(ii)(B) — which specifies what security measures you will implement to reduce high and medium risks to a reasonable level.

How Often to Conduct a Risk Assessment

HIPAA requires the risk assessment to be conducted "as needed to keep security measures current." OCR's guidance interprets this to mean at least annually and after any material change — a major EHR upgrade, a new office location, acquisition of another practice, adding a new service line, or any significant change in your ePHI environment. An assessment more than 12–18 months old is likely to be questioned by OCR as outdated.

Common Mistakes

Failing to include all ePHI locations — especially employee-owned devices that access ePHI, or cloud tools adopted informally by staff
Treating "addressable" Security Rule specifications as optional rather than assessing them
Conducting the assessment but not updating it annually or after material changes
Using a checklist format that lacks qualitative assessment of likelihood and impact
Not acting on identified high risks — the risk management plan must address identified risks, not simply document them
Not retaining the documented assessment — OCR requires 6-year retention

Tools and Resources

HHS provides a free Security Risk Assessment (SRA) Tool at healthit.gov. The tool is available as a downloadable application for Windows and generates a report that can be used as documentation. It's designed for small to medium-sized healthcare organizations.

See also our HIPAA compliance checklist for the full list of Security Rule implementation requirements beyond the risk assessment.

Frequently Asked Questions

Is a HIPAA risk assessment required?

Yes. 45 CFR § 164.308(a)(1)(ii)(A) requires all covered entities and business associates to conduct an accurate and thorough risk analysis. This is a required (not addressable) specification — it cannot be substituted with an alternative measure. OCR cites missing or inadequate risk assessments in the majority of its enforcement actions.

How often must you do a risk assessment?

At least annually and after any material change in operations, technology, workforce, or physical environment. OCR's guidance specifies "as needed to keep security measures current." An assessment conducted three or more years ago is generally considered inadequate in an enforcement context.

What is the difference between a risk assessment and a risk analysis?

HIPAA uses "risk analysis" (§ 164.308(a)(1)(ii)(A)) to mean the process of identifying threats, vulnerabilities, likelihood, and impact — the assessment itself. "Risk management" (§ 164.308(a)(1)(ii)(B)) refers to implementing controls to reduce identified risks. The terms risk analysis, risk assessment, and security risk assessment (SRA) are used interchangeably in practice.

Can I do my own HIPAA risk assessment?

Yes. HHS provides the free SRA Tool at healthit.gov. Small practices can use this tool to conduct and document a compliant risk assessment. Larger organizations with complex ePHI environments may benefit from engaging a qualified HIPAA security consultant. The completed assessment must be documented in writing regardless of who conducts it.

What does OCR look for in a risk assessment?

OCR examines whether the risk assessment covers all ePHI locations, identifies realistic threats (including ransomware and insider threats), documents existing controls, assesses likelihood and impact for each threat-vulnerability pair, and resulted in a risk management plan addressing identified high-risk items. OCR also verifies the assessment was updated annually and after material changes.