The HIPAA Security Rule mandates that all covered entities must conduct and document a comprehensive risk assessment. This guide details the specific requirements, regulatory references, and what the Office for Civil Rights (OCR) expects to see during audits and investigations.
Legal Basis for Risk Assessment Requirements
45 CFR § 164.308(a)(1)(ii)(A): "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [covered entity]."
This regulatory requirement is found in the Administrative Safeguards section of the HIPAA Security Rule. It applies to:
- All covered entities (hospitals, clinics, physician practices, etc.)
- All business associates with access to ePHI
- All entities handling protected health information in electronic form
Core Requirements Explained
1. Accuracy Requirement
Your risk assessment must be accurate—meaning it must correctly identify actual risks in your specific environment. This requires:
- Fact-based identification of threats and vulnerabilities
- Documentation of your specific systems and processes (not generic examples)
- Honest evaluation of current controls and their effectiveness
- Realistic likelihood and impact assessments
- No minimizing or overlooking known risks
The OCR frequently cites organizations for inaccurate assessments that fail to identify known vulnerabilities or overstate the effectiveness of existing controls.
2. Thoroughness Requirement
Your assessment must be thorough—covering all systems, processes, and locations handling PHI:
- All information systems and applications
- All physical locations storing PHI
- All workforce members with PHI access
- All business associates and vendors
- Cloud services and off-site storage
- Telehealth and remote access systems
- Mobile devices with PHI access
Limited scope assessments that exclude certain systems are considered insufficient, even if those systems handle only a portion of PHI.
3. Assessment of Three Security Dimensions
Risk assessment must evaluate threats to:
| Dimension |
Definition |
Examples of Threats |
| Confidentiality |
Protecting PHI from unauthorized access or disclosure |
Hacking, insider threats, data theft, ransomware |
| Integrity |
Ensuring PHI remains accurate, complete, and unaltered |
Malware, malicious insiders, unauthorized modifications |
| Availability |
Ensuring PHI is accessible and usable when needed |
System outages, ransomware, natural disasters, DDoS |
Documentation Requirements
HIPAA does not specify a required format, but your documentation must include evidence of:
Methodology Documentation
- Description of your risk assessment process and approach
- Definitions of threat categories and risk levels used
- Calculation methods for risk ratings
- Tools or frameworks used (NIST, ISO 27001, etc.)
- Scope definition (what systems/areas included)
System and Asset Inventory
- Complete list of systems handling PHI
- System descriptions, vendors, versions
- Data flows and interconnections
- Physical locations with PHI storage
- Workforce access and business associate relationships
Threat and Vulnerability Identification
- Identified threats specific to healthcare and your systems
- Identified vulnerabilities with supporting evidence
- Current controls and their effectiveness ratings
- Gaps where controls are missing or inadequate
Risk Analysis and Prioritization
- Risk assessments for identified threat-vulnerability combinations
- Risk rating calculations and justifications
- Prioritization of risks for remediation
- Timeline estimates for addressing risks
Sign-Off and Approval
- Dated document with version control
- Approval by security officer or compliance officer
- Board-level awareness or approval (for some organizations)
- Evidence of periodic review and updates
Frequency Requirements
Annual Requirement
HIPAA requires risk assessment at least annually. This means:
- Formal, comprehensive assessment conducted within every 12-month period
- Assessment should be updated to reflect current system status
- Prior year's assessment serves as baseline for updates
- Documentation should show assessment date and next scheduled assessment
Additional Assessment Triggers
Beyond annual requirements, assess risk when:
- Major system changes or upgrades occur
- New applications or vendors are added
- Significant workflow or process changes happen
- Security incidents or breaches occur
- New vulnerabilities or threats emerge
- Business associate relationships change
- Regulatory guidance or requirements change
Specific Risk Assessment Components
Business Associate Risk Assessment
Your risk assessment must address risks created by business associates and vendors:
- Identify all entities with PHI access
- Evaluate their security controls and capabilities
- Assess likelihood of PHI compromise through each business associate
- Verify business associate agreements require comparable security
- Monitor business associate compliance
Encryption and Transmission Risk Assessment
Evaluate risks related to data in transit and at rest:
- Identify all locations where PHI is transmitted or stored
- Assess encryption status (in transit and at rest)
- Evaluate key management procedures
- Consider whether encryption is technically feasible and reasonable
Note: HIPAA considers encryption a reasonable and appropriate safeguard for PHI both in transit and at rest.
Workforce Security Risk Assessment
- Access authorization procedures and effectiveness
- Background check practices
- User ID and password policies
- Access termination procedures
- Training and awareness program effectiveness
Ensure Compliance with Regulatory Requirements
The OCR increasingly cites organizations for inadequate, incomplete, or inaccurate risk assessments. Medcurity's risk assessment solution ensures you meet all regulatory requirements with comprehensive documentation suitable for OCR audits and breach investigations.
Achieve Full Regulatory Compliance
OCR Expectations and Audit Findings
Based on OCR enforcement actions and audit reports, they expect:
- Documented process: Written description of how assessments are conducted
- Comprehensive scope: All systems and locations must be included
- Realistic findings: Risk assessments must identify actual vulnerabilities found during enforcement investigations
- Specific vulnerabilities: Assessment must address actual weaknesses in your systems, not generic examples
- Risk-based prioritization: Remediation efforts should align with identified risk levels
- Ongoing updates: Assessment documents should reflect current system status
- Mitigation tracking: Evidence that identified risks are being actively managed
Common Compliance Failures
Insufficient Scope
Assessments that exclude certain systems or only review a portion of the organization often fail audit scrutiny.
Inaccurate or Incomplete Findings
Assessments that fail to identify vulnerabilities later discovered during incidents show the assessment was inadequate.
No Evidence of Remediation
Identified risks without documented remediation efforts, timelines, or evidence of implementation show risk management gaps.
Outdated Documentation
Assessments that don't reflect system changes, new vulnerabilities, or updated controls become stale and unreliable.
Frequently Asked Questions
Q: What if our risk assessment identifies risks we can't immediately fix?
HIPAA doesn't require elimination of all risks immediately. It requires documented risk management. For any identified risk you cannot immediately remediate, document: (1) why immediate remediation isn't feasible, (2) interim protective measures being implemented, (3) timeline for permanent remediation, and (4) responsible parties. This demonstrates compliance with the risk management requirement.
Q: Can we hire an external consultant to conduct our risk assessment?
Yes, many organizations use external auditors or consultants. However, you remain responsible for the accuracy and completeness of the assessment. Internal staff should review and approve the consultant's findings before finalizing. The consultant's methodology and findings become your organization's official documentation.
Q: What documentation should we keep for audit purposes?
Keep all versions of your risk assessment documents, including dated versions from each assessment cycle. Also maintain evidence of: threat identification process, vulnerability scans or assessments, documentation of current controls, remediation plans, sign-offs, and evidence of remediation implementation. Typically keep for 6 years minimum.
Q: Does HIPAA specify a particular risk assessment tool or framework?
No, HIPAA is methodology-agnostic. You can use NIST, ISO 27001, or any systematic approach as long as it accurately and thoroughly assesses risks. The OCR cares about the quality and completeness of your assessment, not which framework you use.