More Than a Compliance Checkbox
The HIPAA Security Rule requires covered entities and business associates to conduct a security risk assessment. Many organizations treat this as a paperwork exercise. That's a missed opportunity.
A thorough risk assessment doesn't just satisfy compliance — it reveals actual vulnerabilities in your environment, prioritizes where to spend your security budget, and gives you documentation that protects you if something goes wrong.
What a Good Risk Assessment Covers
Asset Inventory
You can't protect what you don't know about. Identify every system that creates, receives, maintains, or transmits ePHI.
Threat Identification
What could go wrong? Consider external threats (hackers, malware, ransomware), internal threats (accidental disclosure, malicious insiders), and environmental threats (natural disasters, power outages).
Vulnerability Assessment
Where are your weaknesses? This includes technical vulnerabilities (unpatched systems, misconfigurations), administrative gaps (missing policies, insufficient training), and physical security issues.
Risk Rating
For each threat-vulnerability pair, assess the likelihood and potential impact. This gives you a prioritized list of risks to address.
Current Controls
Document what protections you already have in place. This shows auditors what you're doing right and helps identify where existing controls need strengthening.
Common Findings
In our healthcare security assessments, we consistently find:
- Outdated or missing access reviews (former employees still have access)
- Inadequate audit logging (no way to detect unauthorized PHI access)
- Insufficient encryption (especially on portable devices and older systems)
- Weak backup and recovery procedures (backups exist but have never been tested)
- Missing or outdated incident response plans
The OCR Connection
The Office for Civil Rights (OCR) — HIPAA's enforcement arm — has made risk assessment a top enforcement priority. The most common finding in breach investigations is failure to conduct a thorough risk assessment.
Having a documented, current risk assessment shows OCR that you're taking security seriously. Not having one is almost an automatic finding.
How Often?
HIPAA doesn't specify a frequency, but annual assessments are considered best practice. You should also reassess when you make significant changes to your environment, adopt new technology, or experience a security incident.
Getting Started
You can start with OCR's free Security Risk Assessment Tool for smaller organizations. For a more thorough assessment that identifies real-world vulnerabilities and provides actionable remediation guidance, consider engaging a security consultant with healthcare experience.