How to Conduct a HIPAA Risk Assessment for Your Medical Practice
The HIPAA Security Risk Assessment is a required annual activity that most small practices skip or do inadequately. Here's a step-by-step guide to conducting one correctly.
The HIPAA Security Risk Assessment (SRA) is the single most important compliance activity your practice must perform. It is required annually by the HIPAA Security Rule, and it is the most commonly cited deficiency in HIPAA enforcement actions. This guide walks you through how to do one correctly.
Step 1: Scope Your ePHI Environment
Create a complete inventory of every system, device, and location where ePHI is created, received, maintained, or transmitted:
- EHR platform and servers (on-premise or cloud)
- Practice management and billing system
- Digital imaging systems (X-ray, ultrasound)
- Email system
- Fax systems (physical or electronic)
- Clinical workstations and laptops
- Mobile devices used for clinical purposes
- Cloud storage services used for any PHI
- Remote access solutions
Step 2: Identify Threats and Vulnerabilities
Environmental and Physical Threats
- Fire, flood, or natural disaster
- Theft of laptops, mobile devices, or portable media
- Unauthorized physical access to server rooms or workstations
Human Threats
- Malicious insider (employee intentionally misusing PHI access)
- Negligent insider (employee accidentally exposing PHI)
- External attacker (ransomware, phishing, brute force)
Technical Threats
- Unpatched software vulnerabilities
- Misconfigured access controls
- Inadequate encryption on data in transit or at rest
Step 3: Assess Current Controls
For each identified threat-vulnerability combination, document what controls are currently in place: technical controls (encryption, MFA, firewalls, audit logging), administrative controls (policies, training), and physical controls (locks, cameras, visitor logs).
Step 4: Rate the Risk
- High likelihood + High impact = High Risk — address immediately
- High likelihood + Low impact = Medium Risk — address in near term
- Low likelihood + High impact = Medium Risk — address in near term
- Low likelihood + Low impact = Low Risk — monitor
Documentation requirement: The HIPAA Security Rule does not specify a format for the SRA, but requires that the assessment be documented. Keep your completed SRA as a formal record with date, methodology, scope, findings, and risk ratings.
Step 5: Build Your Risk Management Plan
Your Risk Management Plan (RMP) documents what actions you will take to reduce each risk to an acceptable level, who is responsible, and by when. High-risk items: 30–60 day remediation targets. Medium-risk items: 90–180 days.
Common SRA Mistakes to Avoid
- Scoping only IT systems and forgetting fax machines and mobile devices
- Assigning every risk a "low" rating without substantive analysis
- Completing the SRA but never building a Risk Management Plan
- Treating the SRA as a one-time project rather than an annual requirement
- Using a free tool that produces a checklist but not a documented risk assessment
Stay audit-ready without the headache.
AuditVault automates HIPAA documentation, OIG exclusion screening, and compliance risk tracking for small and mid-size medical practices. Launching January 2028.