HIPAA Risk Assessment Guide

This guide walks through how to conduct a HIPAA-compliant risk assessment, what to document, and how to use findings to improve your security posture.

Key Takeaways

Quick Answer: A HIPAA risk assessment identifies where your ePHI is, what could threaten it, how vulnerable you are, and what the impact would be if something went wrong. It's required by HIPAA, must be documented, and should drive your security program decisions.

Why Risk Assessment Matters

Regulatory Requirement

The HIPAA Security Rule explicitly requires:

• "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." §164.308(a)(1)(ii)(A)

Foundation for Compliance

Risk assessment drives:

• Security control selection and implementation
• Resource allocation decisions
• Policy development
• Training priorities
• Vendor management focus

Enforcement Consideration

HHS OCR consistently cites inadequate risk assessment in enforcement actions. Common findings:

• No risk assessment conducted
• Risk assessment not comprehensive
• Risk assessment not updated after changes
• Findings not addressed

When to Conduct Risk Assessment

Required Triggers

Significant Changes Requiring Reassessment

• New applications handling ePHI
• Changes to network architecture
• New vendors with ePHI access
• Organizational changes (merger, acquisition)
• New office locations
• Changes to business processes
• Major security incidents
• Regulatory changes

Risk Assessment Framework

Step 1: Define Scope

Identify all ePHI:

• Where is ePHI created?
• Where is ePHI received?
• Where is ePHI stored?
• How is ePHI transmitted?
• Who has access to ePHI?

Document ePHI inventory:

Step 2: Identify Threats

Threat categories:

Common threats to ePHI:

• Ransomware and malware
• Phishing attacks
• Unauthorized access by employees
• Vendor security failures
• Data exposure through misconfiguration
• Lost or stolen devices
• Insider threats
• System failures
• Natural disasters

Step 3: Identify Vulnerabilities

Vulnerability assessment areas:

Vulnerability discovery methods:

• Technical vulnerability scanning
• Configuration reviews
• Policy and procedure review
• Interviews with personnel
• Penetration testing
• Previous incident analysis
• Audit findings

Step 4: Assess Current Controls

Document existing controls:

Control effectiveness ratings:

• Effective: Control fully mitigates the risk
• Partial: Control reduces but doesn't eliminate risk
• Ineffective: Control doesn't adequately address risk
• None: No control in place

Step 5: Determine Likelihood

Likelihood rating factors:

• Historical occurrence (internally and industry-wide)
• Threat capability and motivation
• Vulnerability exploitability
• Current control effectiveness

Likelihood scale:

Step 6: Determine Impact

Impact assessment factors:

• Number of individuals affected
• Sensitivity of ePHI exposed
• Operational impact
• Financial impact
• Reputational impact
• Regulatory impact

Impact scale:

Step 7: Calculate Risk Level

Risk matrix:

Risk levels:

• Critical: Immediate action required
• High: Urgent remediation needed
• Medium: Planned remediation
• Low: Accept or monitor

Step 8: Document Risk Register

Create a risk register documenting all identified risks:

Step 9: Develop Remediation Plan

For each identified risk, determine:

Risk treatment options:

• Mitigate: Implement controls to reduce risk
• Transfer: Transfer risk to third party (insurance, vendor)
• Accept: Accept risk with documented justification
• Avoid: Eliminate the activity creating the risk

Remediation plan example:

Step 10: Document and Maintain

Required documentation:

• Risk assessment methodology
• Scope and boundaries
• Asset inventory
• Threat and vulnerability analysis
• Risk ratings and justifications
• Remediation plan
• Risk acceptance decisions (with rationale)
• Review and update history

Retention: Maintain documentation for 6 years per HIPAA requirements.

Risk Assessment Template

Section 1: Assessment Information

1Assessment Date: [Date]
2Assessment Lead: [Name/Title]
3Participants: [Names/Titles]
4Scope: [Description of what's covered]
5Previous Assessment: [Date or N/A]

Section 2: ePHI Inventory

1For each system/location:
2- System name
3- Description
4- ePHI types stored/processed
5- Data volume
6- Users with access
7- Data flows (where data comes from/goes to)

Section 3: Threat Analysis

1For each threat:
2- Threat description
3- Threat source (natural, human, environmental)
4- Affected systems
5- Historical occurrence

Section 4: Vulnerability Analysis

1For each vulnerability:
2- Vulnerability description
3- Affected systems
4- Discovery method
5- Related threats

Section 5: Control Analysis

1For each control area:
2- Control description
3- Implementation status
4- Effectiveness assessment
5- Gaps identified

Section 6: Risk Analysis

1For each risk:
2- Risk ID
3- Risk description
4- Associated threats and vulnerabilities
5- Likelihood rating (with justification)
6- Impact rating (with justification)
7- Risk level
8- Current controls

Section 7: Remediation Plan

1For each risk requiring remediation:
2- Risk ID
3- Remediation action
4- Owner
5- Timeline
6- Resources required
7- Success criteria

Section 8: Risk Acceptance

1For each accepted risk:
2- Risk ID
3- Risk description
4- Justification for acceptance
5- Approval authority
6- Approval date
7- Review date

Common Risk Assessment Mistakes

Mistake 1: Incomplete Scope

Problem: Missing ePHI locations (shadow IT, personal devices, etc.)

Solution: Conduct thorough data discovery, interview stakeholders, review data flows.

Mistake 2: Generic Threat Lists

Problem: Using generic threats without considering your specific environment.

Solution: Tailor threat analysis to your industry, size, and technical environment.

Mistake 3: Subjective Ratings

Problem: Inconsistent likelihood and impact ratings without criteria.

Solution: Define rating criteria before assessment, apply consistently.

Mistake 4: Assessment Without Action

Problem: Conducting assessment but not addressing findings.

Solution: Develop actionable remediation plan, track to completion.

Mistake 5: Point-in-Time Only

Problem: Treating risk assessment as one-time activity.

Solution: Establish triggers for reassessment, conduct annual reviews.

Risk Assessment Tools

Spreadsheet-Based

• Simple for small organizations
• Customizable
• Low cost
• Manual maintenance

GRC Platforms

• Automated workflows
• Centralized tracking
• Reporting capabilities
• Higher cost

HHS Resources

• NIST SP 800-66 guidance
• OCR audit protocol
• HHS Security Risk Assessment Tool (SRA Tool)

Frequently Asked Questions

How often should we conduct risk assessments?

Conduct comprehensive assessment initially, then:

• Annual review at minimum
• When significant changes occur
• After security incidents
• When new systems handling ePHI are deployed

Who should conduct the risk assessment?

The Security Officer typically leads, with input from:

• IT/Engineering team
• Operations
• Legal/Compliance
• Executive leadership

External consultants can provide objectivity and expertise.

How detailed should the assessment be?

Detailed enough to:

• Identify all ePHI locations
• Document threats and vulnerabilities specific to your environment
• Justify risk ratings
• Drive meaningful remediation actions
• Demonstrate compliance if audited

Can we use a vendor's risk assessment?

Cloud providers' assessments (SOC 2, etc.) can inform your assessment but don't replace it. You must assess:

• How you configure and use their services
• Your application layer security
• Your policies and procedures
• Your specific ePHI handling

What if we can't remediate all risks immediately?

Prioritize based on risk level:

• Address critical/high risks urgently
• Plan for medium risks
• Accept or monitor low risks
• Document all decisions and rationale

How Bastion Helps

Bastion helps technology companies conduct effective risk assessments:

• Methodology: Proven risk assessment framework
• Facilitation: Guide assessment workshops
• Documentation: Comprehensive assessment documentation
• Remediation planning: Actionable plans with prioritization
• Ongoing support: Annual reassessments and updates

Ready to conduct your HIPAA risk assessment? Talk to our team

Sources

• HHS Guidance on Risk Analysis - Official HHS guidance
• NIST SP 800-30 - Guide for Conducting Risk Assessments
• NIST SP 800-66 - Implementing the HIPAA Security Rule
• HHS Security Risk Assessment Tool - Free assessment tool from HHS