A HIPAA security risk assessment is a structured evaluation of how your practice stores, transmits, and protects electronic protected health information (ePHI). It identifies vulnerabilities, evaluates threats, and produces a prioritized plan to close gaps before an auditor — or an attacker — finds them first.
It is also the single most violated HIPAA requirement in the country. In 2025, failure to conduct an adequate security risk analysis was cited in 18 of 22 OCR enforcement cases, accounting for $7.9 million in penalties. Not data breaches. Not ransomware. Not phishing. The most common violation is simply failing to look.
This guide walks you through the complete process in plain English. If you're a practice owner, office manager, or administrator at a small medical practice, you can start this today. No IT background required — just a willingness to document what you find honestly.
Important: Under the 2026 HIPAA Security Rule, risk assessments are no longer just annual exercises. You must update your assessment whenever significant changes occur — new EHR system, new office location, new vendor, new remote work policy. The assessment is a living document.
The 7-Step HIPAA Security Risk Assessment Process
Every HIPAA security risk analysis follows the same core framework, whether you're a solo practitioner or a 50-physician group. Here is the process broken into seven actionable steps.
Step 1: Define Scope and Boundaries
Before you can assess risk, you need to know exactly where ePHI exists in your practice. This means identifying every system, device, location, and person that creates, receives, stores, or transmits electronic patient data.
For a typical small practice, your inventory will include:
- EHR system — where clinical notes, diagnoses, and medications live
- Practice management software — scheduling, billing, patient demographics
- Email — especially if staff communicate patient information via email
- Patient portal — the web-facing system patients use to view records
- Workstations and laptops — every computer that accesses ePHI
- Mobile devices — phones or tablets used for clinical work
- Network equipment — routers, firewalls, Wi-Fi access points
- Cloud services — Google Workspace, Microsoft 365, cloud backup
- Paper records — yes, even physical files factor into your risk picture
- Third-party vendors — billing companies, IT support, clearinghouses
Pro tip: Walk through your office. Look at every screen, every closet with a server, every shared printer. Ask each staff member what systems they log into daily. The most dangerous gaps come from systems people forget to mention — the old laptop in storage, the personal phone checking email, the fax machine connected to a phone line.
Step 2: Identify Threats and Vulnerabilities
A threat is anything that could harm your ePHI — a hacker, a disgruntled employee, a hurricane, a stolen laptop. A vulnerability is a weakness that a threat could exploit — unpatched software, weak passwords, no backup system.
Common threats to small medical practices include:
- Phishing emails — the #1 attack vector, responsible for 70%+ of healthcare breaches
- Ransomware — encrypts your systems and demands payment to unlock them
- Insider threats — staff accessing records they shouldn't (curiosity, malice, or carelessness)
- Device theft or loss — laptops, phones, or USB drives with unencrypted ePHI
- Vendor compromise — a business associate gets breached and your data is exposed
- Natural disasters — flooding, fire, or power outage destroying systems
- Unpatched software — known vulnerabilities in outdated operating systems or applications
For each asset you identified in Step 1, ask: What threats apply to this? What vulnerabilities make it susceptible?
Step 3: Assess Current Security Controls
Now evaluate what protections you already have in place. For each threat-vulnerability pair, document what control (if any) currently mitigates it.
Controls fall into three categories:
- Administrative: Policies, training programs, access procedures, incident response plans
- Physical: Locked doors, security cameras, workstation positioning, device disposal
- Technical: Firewalls, encryption, MFA, antivirus, audit logging, automatic backups
Be honest. If a policy exists on paper but nobody follows it, that's not an effective control. If your backup system hasn't been tested in two years, note that. The point isn't to look good — it's to find the truth before OCR does.
Common finding: Many practices discover they have policies (administrative controls) but lack the technical implementation to enforce them. For example, a policy says "all ePHI must be encrypted" — but nobody has verified that encryption is actually enabled on all workstations and email systems. The policy alone doesn't satisfy HIPAA.
Step 4: Determine Likelihood and Impact
For every identified risk, assign two ratings:
- Likelihood: How probable is it that this threat will exploit this vulnerability? (High, Medium, or Low)
- Impact: If it happens, how severe would the damage be? (High, Medium, or Low)
Use a simple 3×3 matrix:
- High likelihood + High impact = Critical risk (address immediately)
- High likelihood + Medium impact = High risk (address within 30 days)
- Medium likelihood + Medium impact = Medium risk (address within 90 days)
- Low likelihood + Low impact = Low risk (monitor, address within 6 months)
Example: A phishing attack targeting front desk staff (high likelihood — it happens daily) that could expose the entire EHR (high impact — thousands of records) = Critical risk requiring immediate action.
Step 5: Calculate Risk Level and Prioritize
Compile all your findings into a risk register — a simple spreadsheet that lists every identified risk with its likelihood, impact, risk level, current controls, and whether it's acceptable or needs remediation.
Your risk register should have these columns:
- Asset / System
- Threat
- Vulnerability
- Current Control
- Likelihood (H/M/L)
- Impact (H/M/L)
- Risk Level (Critical/High/Medium/Low)
- Remediation Required (Yes/No)
- Priority Order
Sort by risk level. Critical risks go to the top. This becomes your action list.
Step 6: Document Everything
This is where most small practices fail — and where OCR fines accumulate. You must produce a written report that documents the entire process. Not sticky notes. Not an email thread. A formal document that an auditor could review.
Your documentation should include:
- Date of the assessment and who conducted it
- Scope — what systems, locations, and people were included
- Methodology — how you identified threats and rated risks
- Asset inventory with data flow diagrams
- Complete risk register with all findings
- Current control evaluation for each risk
- Remediation plan with timelines and responsible parties
- Signature of the practice owner or designated security officer
How long should it be? For a small practice (1–10 physicians), a thorough security risk assessment typically produces a 15–30 page document. Don't over-engineer it — clarity matters more than length. But it cannot be a one-page checkbox form. OCR has specifically rejected those in enforcement actions.
Step 7: Create and Execute a Remediation Plan
The assessment identifies problems. The remediation plan fixes them. Without this step, your risk assessment is just an expensive exercise in documenting your own non-compliance.
For every risk rated High or Critical, your plan should specify:
- What needs to happen — the specific action (e.g., "Enable MFA on all EHR accounts")
- Who is responsible — a named person, not "the team"
- Deadline — a specific date, not "when possible"
- Resources needed — budget, vendor involvement, staff training
- Verification method — how you'll confirm the fix is in place
Track progress monthly. When gaps are closed, document the completion date and verification. This creates an audit trail showing continuous improvement — exactly what OCR wants to see.
How Often Must You Conduct a HIPAA Risk Assessment?
HIPAA requires risk assessments to be conducted regularly — which OCR interprets as at least annually. However, you must also update the assessment when:
- You adopt a new EHR or major clinical system
- You add a new office location or go hybrid/remote
- You experience a security incident or near-miss
- You add a new business associate or vendor
- Regulations change (as they did in 2026)
- Your practice merges, acquires, or significantly grows
Can You Do This Yourself or Do You Need Help?
Technically, yes — a practice owner or administrator can conduct their own security risk assessment. HHS even provides a free tool (the Security Risk Assessment Tool) to guide you through it.
However, there are good reasons to involve an outside expert:
- Objectivity: It's hard to honestly assess your own blind spots
- Technical depth: Evaluating encryption, network segmentation, and access controls requires IT expertise
- Documentation quality: A professionally produced report is more defensible in an audit
- Remediation support: The same expert who identifies the gap can help close it
For medical practices in Northern Virginia, JPert INC conducts HIPAA security risk assessments as part of our managed compliance program. We handle the technical evaluation, produce audit-ready documentation, and execute the remediation plan — so your practice stays compliant without adding IT work to your team's plate.
Free starting point: JPert offers a no-cost initial assessment that identifies your practice's most critical compliance gaps. It's not a sales pitch — it's a 30-minute technical review that shows you exactly where you stand. Book one here.
The Bottom Line
A HIPAA security risk assessment is not optional. It is not a one-time event. And it is not something you can fake with a downloaded template and a few checkboxes. It's the foundation of your entire compliance program — and it's the first thing OCR asks for when they investigate.
Eighteen of twenty-two enforcement actions in 2025 cited this exact failure. The practices that were fined didn't necessarily have bad security. They just never formally looked at, documented, and addressed their risks. Don't make that mistake.
Start with Step 1 today. Walk your office. List your systems. Write it down. The rest follows from there.