Back to articles
- 6min read - Updated Risk Assessment

How to Conduct a HIPAA Risk Assessment

Learn how to conduct a comprehensive HIPAA security risk assessment to identify vulnerabilities and protect health information.

H
Analyst reviewing security dashboard charts and risk assessment metrics on multiple monitors
A HIPAA risk assessment identifies threats and vulnerabilities to electronic protected health information

A HIPAA security risk assessment is a foundational requirement of the Security Rule. It identifies risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Why Risk Assessment Matters

Risk assessment is not optional — it is a required administrative safeguard under 45 CFR § 164.308(a)(1)(ii)(A) . Without a thorough risk assessment, organisations cannot effectively allocate resources to address their most critical vulnerabilities.

Step 1: Identify ePHI

Begin by identifying all electronic protected health information within your organisation:

  • Where is ePHI created, received, maintained, or transmitted?
  • What systems and applications process ePHI?
  • Who has access to ePHI and why?

Step 2: Identify Threats and Vulnerabilities

For each system that handles ePHI, consider:

  • Natural threats — Floods, fires, earthquakes
  • Human threats — Unauthorised access, employee mistakes, malicious attacks
  • Environmental threats — Power failures, equipment malfunctions

Step 3: Assess Current Security Measures

Evaluate the safeguards currently in place:

Step 4: Determine Likelihood and Impact

For each identified threat-vulnerability pair:

  • Rate the likelihood of the threat occurring (low, medium, high)
  • Rate the potential impact on the organisation and individuals (low, medium, high)
  • Calculate the overall risk level

Step 5: Develop a Risk Management Plan

Based on the risk levels identified:

  1. High risks — Implement additional safeguards immediately
  2. Medium risks — Plan and schedule remediation
  3. Low risks — Monitor and review periodically
Business team collaborating on a risk management plan with documents and laptops
Risk assessment documentation must be reviewed and updated regularly as threats evolve

Step 6: Document Everything

Thorough documentation is critical. Your risk assessment should include:

  • Methodology used
  • Findings and risk levels
  • Recommended safeguards
  • Implementation timeline
  • Responsible parties

Ongoing Risk Management

Risk assessment is not a one-time activity. It should be conducted:

  • At least annually
  • When new systems or processes are introduced
  • After a security incident
  • When there are significant changes in the organisation

A well-documented risk assessment not only ensures compliance but demonstrates your organisation's commitment to protecting patient information.

Further Reading

H

Article by

HIPAA Guidelines Editorial Team

The editorial team at HIPAA Guidelines researches and writes authoritative guides on HIPAA compliance, privacy regulations, and healthcare data protection.

Related Articles

H
May 4, 2026 · 2min read Security Rule

HIPAA Security Rule Explained

A comprehensive guide to implementing the administrative, physical, and technical safeguards required by the HIPAA Security Rule.

H
HIPAA Guidelines Editorial Team
H
May 4, 2026 · 8min read Business Associates

HIPAA Business Associate Agreement Requirements

Understanding when you need a business associate agreement and what it must include under HIPAA.

H
HIPAA Guidelines Editorial Team