← Back to Blog

Hipaa Risk Assessment Guide Medical Practices

JW
Jennifer Walsh Healthcare Compliance Officer
March 31, 2026 · 6 min read

HIPAA Risk Assessment Guide for Medical Practices

Every covered healthcare practice is required to conduct a HIPAA risk assessment — yet it's one of the most commonly skipped or improperly completed requirements the Office for Civil Rights (OCR) finds during audits. If your medical practice hasn't done a formal risk assessment recently, or if you did one years ago and never updated it, this guide walks you through exactly what's required and how to do it right.

What Is a HIPAA Risk Assessment?

A HIPAA risk assessment (also called a risk analysis) is a systematic review of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) in your practice. It's required by the HIPAA Security Rule (45 CFR § 164.308(a)(1)).

The purpose isn't to fill out a form and file it away. It's to identify where your patient data might be at risk — so you can take action to reduce that risk.

Important: a risk assessment is not the same as a HIPAA compliance checklist. A checklist tells you what policies to have. A risk assessment tells you where your specific practice is vulnerable and how serious each vulnerability is.

Who Needs to Conduct a Risk Assessment?

All HIPAA covered entities are required to perform risk assessments. That includes:

  • Medical clinics and physician practices (any size)
  • Dental offices
  • Mental health and therapy practices
  • Pharmacies
  • Optometry and vision clinics
  • Chiropractors, physical therapists, and other ancillary providers

Business associates — vendors who handle ePHI on your behalf — are also required to conduct their own risk assessments.

How Often Do You Need to Do a Risk Assessment?

The HIPAA Security Rule doesn't specify a frequency, but it requires that the risk assessment be kept "current." In practice, OCR expects you to:

  • Complete an initial risk assessment when you first handle ePHI
  • Update it whenever you experience a significant change — new software, new staff roles, new locations, new equipment, or a security incident
  • Review it at least annually as a matter of best practice

A risk assessment done three years ago that hasn't been touched since will not satisfy an auditor if your practice has added telehealth visits, changed EHR systems, or moved to a new building.

Step-by-Step: How to Conduct a HIPAA Risk Assessment

Step 1: Define the Scope

Start by identifying what you're assessing. This means mapping out all the places where ePHI lives in your practice:

  • Electronic health record (EHR) system
  • Practice management and billing software
  • Email (if used to communicate with patients or other providers)
  • Text messaging apps used for patient communication
  • Cloud storage (Google Drive, Dropbox, OneDrive, etc.)
  • Workstations, laptops, and tablets
  • Mobile phones used by clinical staff
  • Medical devices that store or transmit data (digital X-ray systems, diagnostic equipment)
  • Paper records that are scanned or photographed

This inventory is the foundation of your entire assessment. You can't assess risks to data you don't know you have.

Step 2: Identify Threats and Vulnerabilities

For each system or location where ePHI lives, identify what could go wrong. Think in terms of:

Technical threats:

  • Ransomware or malware infection
  • Unauthorized access due to weak passwords
  • Unencrypted data on lost or stolen devices
  • Outdated software with unpatched security vulnerabilities

Physical threats:

  • Theft of workstations or devices
  • Unauthorized access to server rooms or filing areas
  • Natural disasters affecting on-site servers

Human/operational threats:

  • Staff sending ePHI to wrong email addresses
  • Employees accessing records they don't need for treatment
  • Lack of training leading to accidental disclosures
  • Terminated employees retaining system access

Step 3: Assess Current Controls

For each threat, document what protections you currently have in place:

  • Do workstations have automatic screen locks?
  • Is data encrypted in transit and at rest?
  • Do you have a firewall and antivirus?
  • Are access controls in place (role-based access, unique login credentials)?
  • Do you have a backup system for ePHI?
  • Are physical areas with ePHI restricted?

Be honest here. Documenting a control you don't actually have is worse than acknowledging the gap.

Step 4: Determine Likelihood and Impact

For each identified threat/vulnerability combination, assign:

  • Likelihood: How probable is it that this threat would actually occur? (Low / Medium / High)
  • Impact: If it did occur, how serious would the consequence be for patient privacy and your practice? (Low / Medium / High)

Combine these to get an overall risk level for each vulnerability. This prioritization is what turns a long list of hypothetical threats into a manageable action plan.

Step 5: Develop and Document Risk Responses

For each medium or high risk, document what you plan to do about it. Options include:

  • Mitigate: Implement a control to reduce the risk (e.g., enable device encryption)
  • Accept: Acknowledge the risk as low enough to live with, with documented rationale
  • Transfer: Shift the risk to a third party (e.g., using a HIPAA-compliant cloud provider)
  • Avoid: Stop the activity that creates the risk (e.g., discontinue use of personal email for patient communication)

You don't have to eliminate every risk — you have to demonstrate that you've assessed each one and made a reasonable, documented decision.

Step 6: Implement Security Measures

Move from planning to doing. For each mitigation measure you identified, assign an owner, set a target date, and track completion. This is where many practices stall — the assessment is complete but the fixes never get implemented.

Step 7: Document Everything

HIPAA requires that you retain documentation of your risk assessment and your security measures for at least six years. At minimum, keep records of:

  • The assessment itself (scope, threats, vulnerabilities, current controls, risk levels)
  • The risk response plan
  • Evidence of implemented controls
  • Any incidents or near-misses that prompted reassessment

Step 8: Review and Update

Schedule your next review. Set a calendar reminder for 12 months out at minimum, and immediately when any significant change occurs in your practice.

Common Risk Assessment Mistakes to Avoid

  • Using a generic template without customizing it to your practice. Generic templates miss your specific systems and workflows.
  • Treating it as a compliance checkbox. The assessment only helps if you act on what you find.
  • Not involving clinical staff. Your front desk and billing team know where patient data actually flows day-to-day — their input is essential.
  • Ignoring mobile devices. If your physicians check records on their phones, those phones are in scope.

How HIPAAGuard Simplifies the Risk Assessment Process

Completing a thorough risk assessment manually can take days and requires familiarity with both HIPAA requirements and your own technical environment. HIPAAGuard guides your practice through every step of the process with structured questionnaires, pre-built threat libraries tailored to healthcare settings, and automated risk scoring.

You get a complete, documented risk assessment — not a generic template — along with a prioritized remediation plan and built-in reminders when it's time to update. No compliance background required.

Start your risk assessment today with HIPAAGuard. Get started free — most practices complete their initial assessment in one sitting.