Most healthcare organizations know a Health Insurance Portability and Accountability Act (HIPAA) security risk assessment is required, but knowing it is required is very different from knowing where to start. This article walks you through a practical, structured HIPAA security compliance checklist covering every required safeguard category. You will also find a ready-to-use template to document your findings and clear guidance on what to do once your assessment is complete.

What is a HIPAA Security Risk Assessment?

A HIPAA security risk assessment is a required process under the HIPAA Security Rule in which covered entities and business associates systematically identify, assess, and document potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It is an ongoing requirement that must be revisited whenever there are significant changes to your systems, operations, or workforce.

The Office for Civil Rights (OCR) treats the risk assessment as foundational to any HIPAA compliance program. Failure to complete one is among the most frequently cited causes of HIPAA violations and enforcement actions. In fact, OCR has made this requirement an explicit enforcement priority. In October 2024, it launched a dedicated Risk Analysis Initiative, and by February 2026, it had announced its 11th and 12th enforcement actions under that program. An earlier OCR audit found that only 14 percent of covered entities were substantially meeting their risk analysis obligations.

If your last assessment is outdated or undocumented, this is the right place to start.

Who Is Required to Conduct a Security Risk Assessment?

All HIPAA-covered entities and business associates are required to conduct a security risk assessment, regardless of size. There are no exemptions for small practices. A solo provider faces the same legal obligation as a large health system.

Covered entities include:

Healthcare providers that transmit health information electronically, including physicians, dentists, therapists, and hospitals

Health plans, such as insurers and employer-sponsored health plans

Healthcare clearinghouses that process non-standard health information into standard formats

Business associates are vendors or third-party partners that access, store, or transmit ePHI on behalf of a covered entity. Billing companies, IT service providers, cloud storage vendors, and practice management platforms are common examples.

The stakes are substantial regardless of organization size. Large healthcare data breaches have plateaued at roughly two reported breaches per day, about twice the rate seen in 2018.

With the right structure in place, the assessment is manageable for organizations of any size.

HIPAA Security Risk Assessment Checklist

The sections below walk through every major area a compliant HIPAA security risk assessment must cover. Each requirement is explained in simple terms, so you can work through your organization’s current state without needing a technical background or a compliance degree. Start at step one and work your way through.

1. Identify and Inventory All ePHI

The first step is creating a complete inventory of every location where ePHI is created, received, stored, or transmitted. That includes electronic health records systems, cloud storage, email, portable devices, mobile applications, and any third-party platforms that handle patient data on your behalf.

Think of this as a data mapping exercise. Ask yourself: where does our patient data live, and how does it move through our organization? The answers to those questions form the foundation for everything that follows in the assessment.

2. Assess Your Administrative Safeguards

Administrative safeguards are the policies, procedures, and management practices that govern how your organization protects ePHI. Evaluate each area as a practical checklist question you can answer with yes, no, or in progress:

  • Do you have a documented security management process?
  • Have you designated a security officer responsible for developing and implementing your security policies?
  • Is workforce training in place, and are access permissions managed based on job role?
  • Do you conduct periodic security evaluations?

Gaps in administrative safeguards most often stem from missing policies, insufficient training, or the absence of a designated compliance owner. These are among the most correctable issues with the right support in place.

3. Review Your Physical Safeguards

Physical safeguards govern how your organization controls physical access to the systems and devices that store or process ePHI. Walk through each requirement and assess your current state:

  • Are facility access controls in place to limit entry to areas where ePHI is stored or accessed?
  • Do you have documented workstation use and security policies that define how employees access patient data?
  • Are device and media controls documented, including procedures for properly disposing of or reusing hardware that stores ePHI?

Keep in mind that physical safeguards extend beyond your main office. If employees access ePHI from home or use portable devices on the go, those environments are subject to the same requirements.

4. Audit Your Technical Safeguards

Technical safeguards are the technology-based controls that protect ePHI. Four areas must be assessed:

  • Access controls: Only authorized individuals can log in to systems that contain ePHI
  • Audit controls: Systems record and examine activity within applications that house ePHI
  • Integrity controls: ePHI is protected from being improperly altered or destroyed
  • Transmission security: Patient data is encrypted when transmitted electronically

These requirements may sound technical, but the core question for each is straightforward: do you have this control in place, and can you prove it? Documenting your current technical controls, along with any identified gaps, is just as important as having those controls.

5. Identify Threats and Vulnerabilities

A compliant risk assessment requires identifying all reasonably anticipated threats to ePHI. Common examples include ransomware attacks, phishing attempts, unauthorized access, hardware failure, and natural disasters. Vulnerabilities are the weaknesses in your current systems or processes that could allow those threats to cause real harm.

Consider both internal risks, such as human error and weak passwords, and external risks, such as cyberattacks and physical theft. You do not need a cybersecurity background to complete this step. The goal is to think carefully and honestly about where your organization is exposed.

6. Evaluate Your Existing Security Controls

Before you can identify your gaps, you need to assess what you already have in place. Review your current security controls, including:

  • Data encryption policies
  • User access policies and authentication requirements
  • Staff training programs
  • Incident response procedures

The goal is to determine whether these existing controls adequately reduce the threats and vulnerabilities you identified. Treat this as a gap analysis: what is working, what is only partially in place, and what is missing entirely? Document your findings at this stage.

7. Assign Risk Levels to Each Gap

Once you have identified your gaps, prioritize them by assigning a risk level of high, medium, or low to each. That rating is based on two factors: the likelihood that the threat will occur and the potential impact it would have on ePHI.

For example, if a portable device that regularly transmits patient data lacks encryption, that gap likely qualifies as high likelihood and high impact, making it a high-priority remediation item. A policy gap affecting a rarely used internal system might rate low on both counts.

This step is what turns a list of findings into an actionable plan. A straightforward risk matrix approach works well and does not require specialized tools or formulas.

HIPAA Security Risk Assessment Template

A checklist tells you what to look for. A template helps you document what you found, and that documentation makes your risk assessment defensible.

Use this template to document each risk identified during your HIPAA security risk assessment. The first three rows are filled in as examples. Replace them with your own findings, and add rows as needed.

Having this documentation in order matters not just for internal management but also for demonstrating your compliance efforts to auditors, insurers, and regulators. If you face an OCR investigation or a contract review by a health system partner, this documentation is what you will rely on.

Take the Guesswork out of HIPAA Compliance.

Save time and protect your business. Learn how today!

Global CTA Monitor

How to Document and Evaluate Your Findings

When completing each field in the template, specificity is what matters:

  • Risk description: Name the specific system, process, or policy that is affected. Vague entries like “security issue” are not useful during an audit.
  • Likelihood rating: Use a simple scale (low, medium, or high) based on how probable it is that this risk could materialize in your current environment.
  • Impact rating: Rate the potential harm if the risk were to occur, factoring in the sensitivity of the ePHI involved and the scale of potential exposure.
  • Existing controls: Document what you currently have in place honestly. Partial controls count, but note that they are incomplete.
  • Remediation action: Write a specific, assignable next step with a responsible party and a target date attached. A vague action item will not get done.

Documentation quality matters. A vague or incomplete risk assessment cannot adequately demonstrate compliance during an audit.

Steps to Take After Your Risk Assessment

Completing the risk assessment is only the beginning. HIPAA requires you to act on what you find, not simply document it. Here is how to move forward:

  1. Prioritize remediation based on assigned risk levels. Start with high-risk items. Do not wait until every gap is resolved before acting on the most critical ones.
  2. Update or create security policies and procedures that address the specific gaps your assessment identified. Missing or outdated policies are among the most common and correctable findings.
  3. Train staff on any changes or new requirements. Policy updates only reduce risk if your workforce understands what is expected of them.
  4. Assign ownership to each remediation item. Every action needs a responsible party and a deadline. Unassigned tasks tend to stay incomplete.
  5. Schedule a follow-up review to track progress and confirm that corrective actions have been implemented.

HIPAA requires ongoing risk management, not a single completed assessment. You must reassess whenever there is a significant change to your systems, workforce, facilities, or business relationships. Throughout this entire process, document every action you take. The documentation that proves what you did protects your organization during an audit or investigation.

How Compliancy Group Simplifies the Process

Staying on top of HIPAA security risk assessment requirements takes time and expertise that most practice owners and compliance managers cannot afford to dedicate solely to this task. Compliancy Group, along with HIPAA risk assessment software like The Guard, is built to handle exactly that.

The Guard walks users through every required element of the risk assessment using a step-by-step workflow, automatically generates documentation, and supports a continuous compliance program rather than a one-time effort. Compliancy Group’s compliance experts are available to provide personalized guidance, removing the burden from teams that do not have in-house HIPAA expertise. The Guard also helps organizations track remediation progress, manage security policies, and maintain a defensible compliance record year-round.

Request a demo to see how Compliancy Group can take the guesswork out of HIPAA compliance.