HIPAA Risk Assessment: A Step-by-Step Guide

A HIPAA risk assessment (also called a HIPAA Security Risk Analysis) is the foundation of HIPAA compliance. This guide explains what it is, who needs one, how often it's required, and how to actually complete one for your healthcare practice.

What is a HIPAA risk assessment?

A HIPAA risk assessment is a systematic review of how your organization protects electronic protected health information (ePHI). Required by the HIPAA Security Rule, it identifies where ePHI lives, the threats and vulnerabilities that could expose it, and the likelihood and impact of those risks — so you can prioritize and document safeguards.

Who needs to complete one?

Every covered entity (healthcare providers, health plans, and clearinghouses) and every business associate that creates, receives, maintains, or transmits ePHI must conduct a risk assessment. That includes small and solo practices — there is no size exemption.

How often is a HIPAA risk assessment required?

HIPAA requires the analysis to be conducted and kept current, rather than on a single fixed date. In practice that means reviewing it at least once a year and again after any significant change — adopting a new EHR, opening a location, a merger or acquisition, or following a security incident.

How to complete a HIPAA risk assessment (step by step)

  1. Inventory your ePHI. Map every place ePHI is created, received, stored, or transmitted — devices, servers, cloud apps, email, and paper-to-digital workflows.
  2. Identify threats and vulnerabilities. Consider human, natural, and technical threats to each system that touches ePHI.
  3. Assess current safeguards. Review your Administrative, Physical, and Technical safeguards and note where controls are missing or incomplete.
  4. Determine likelihood and impact. Rate the risk of each threat/vulnerability pair so you can prioritize.
  5. Document and remediate. Record findings, assign a risk level, and build a remediation plan — then track it to completion.
  6. Review and update. Revisit the assessment at least annually and after major changes.

Run a guided HIPAA Risk Assessment in Wardably

Skip the blank spreadsheet. Wardably walks you through each requirement in plain language, scores your readiness, and helps you close the gaps.

Start your assessment free

Frequently asked questions

Yes. The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

HIPAA doesn't name a fixed interval, but review it at least annually and whenever there's a significant change — new systems, a move, a merger, or a security incident.

All covered entities and their business associates that create, receive, maintain, or transmit ePHI — including small and solo practices.

Related HIPAA guides

This guide is for general educational purposes and is not legal advice. Consult a qualified professional for guidance specific to your organization.