4 Steps to a Successful HIPAA Security Risk Assessment

There is a 75.6% chance of a breach of at least five million healthcare patient records in the next year. 

This is especially problematic for small healthcare organizations; 20% of small practices have experienced a breach, and 75% of breaches reported to the HHS were hacking or IT incidents. 

Mitigating the chances of a security breach is more important than ever, and successfully completing a periodic HIPAA Security Risk Assessment (SRA) is a crucial component of effective compliance and risk management. 

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) requires covered entities to conduct periodic risk assessments to identify security risks, vulnerabilities, and threats to PHI. 

If you don’t know where to start, following a HIPAA security risk assessment checklist is a great way to tackle compliance and systematically plan, organize, and prioritize your efforts, identify security gaps, and abide by OCR requirements. 

Read on for a HIPAA security risk assessment checklist with 4 actionable steps to make your SRA process smooth and effective.

Step 1: Inventory Your Data and Security Measures 

The first step in conducting a HIPAA security risk assessment is to inventory your data. This includes assessing the amount of
protected health information (PHI) you have, such as patient names, addresses, birthdates, medical history, and social security numbers. 

You’ll also want to determine where sensitive data is stored, who has access to it, and how it has been used in the past. The goal of this is to understand what exactly your organization possesses to determine its value and its potential risks. Once you identify all your data, make sure to document your findings properly. 

Step 2: Identify Threats and Vulnerabilities 

The next step in completing your
HIPAA security risk assessment is to identify threats and vulnerabilities that might be facing your data. A threat is an event that could occur, such as a security breach, while a vulnerability is a weakness in the system that a threat could exploit. For example, data breaches, ransomware attacks, phishing attacks, and others are all considered threats. Identifying both will help you paint a complete security picture.  

Identifying potential risks goes hand in hand with assessing current security measures used to protect data and determining whether these measures are effective. Always document your findings so there’s a clear list of all the processes and policies in place.

Step 3: Determine the Potential Impact of Threats 

An essential step in the risk assessment process is determining the potential impact of a threat. The effect can often be financial and harmful to patients, employees, or the public. Information security threats are often linked with other risks, such as privacy and confidentiality; therefore, you should consider these when determining your organization’s risk profile.

When conducting your risk assessment, think about all aspects of your company, including its: 

  • Structure, mission statement, and culture 
  • Personnel roles and annual training for employees 
  • Physical location and facilities 
  • Technology used by staff members 
  • Systems that store data electronically 
  • Relationships with vendors who provide services such as email hosting 

After collecting this information, use it to determine how each factor contributes toward improving information security practices within the organization overall. 

It’s also imperative to determine the likelihood of potential threats and vulnerabilities impacting your organization and their risk levels (often done by assigning a numeric value). The higher the risk level, the higher its impact and the chance it will occur.  

Using information such as the frequency of the risk occurring in the past, the scope of the risk’s potential impact, and how likely, based on historical data in the industry and your organization, you can formulate an idea of what a threat might mean. As always, these findings should be documented and discussed.

Step 4: Discuss Findings & Prepare to Repeat 

Once your findings are documented, your team should discuss the results and develop clear, actionable next steps to mitigate threats. These processes and procedures for mitigation likely won’t be a magic bullet, but having measures in place to maintain
effective HIPAA compliance is a necessity.  

Although that’s the last step of the HIPAA Security Risk Assessment checklist, the risk assessment process is ongoing. It’s important to note that the checklist alone is not enough to achieve compliance. The HIPAA Security Risk Assessment is a dynamic document that must be updated regularly, and it ensures that compliance regulations are met. It will change as your organization changes, so it’s essential to review the risk assessment results periodically and make any necessary updates.  

As the data landscape continues to shift, it’s necessary to keep up with these changes to avoid any new threats and vulnerabilities within your systems and identify newly introduced security measures to incorporate into your strategy. By regularly updating your assessment process, you can make sure that you’re aware of these potential issues and can prioritize them accordingly.


Risk assessments are essential for ensuring compliance with the HIPAA Security Rule because they help identify potential security risks in your organization and point you toward ways to mitigate them. By following this HIPAA Security Risk Assessment checklist, you’re one step closer to achieving full compliance.

Consider enlisting the help of a HIPAA expert when conducting your risk assessment, as they can provide their expertise in conducting a comprehensive assessment, interpreting the results, and creating an action plan.

If you want to learn more about effectively conducting a HIPAA security risk assessment, get in touch with the experts at HIPAA One by Intraprise Health.