Free HIPAA Risk Assessment Template (2026)

Starting from a blank page is the hardest part of a HIPAA Security Risk Assessment. This guide breaks down exactly what a good template contains, how to score each gap, and how to turn your finished assessment into an audit-ready report.

What goes in a HIPAA risk assessment template

A useful template mirrors the structure the HIPAA Security Rule expects. At a minimum it should capture the following sections for every system that touches electronic protected health information (ePHI):

  • ePHI inventory — where PHI is created, received, stored, and transmitted (EHR, email, devices, cloud apps, paper-to-digital workflows).
  • Threats & vulnerabilities — the human, natural, and technical threats to each system.
  • Current safeguards — the Administrative (§164.308), Physical (§164.310), and Technical (§164.312) controls already in place.
  • Likelihood & impact — a rating for each threat/vulnerability pair so risks can be prioritized.
  • Remediation plan — the corrective action, owner, and target date for each gap.

How to score each requirement

Rather than a simple pass/fail, most templates use a status per requirement so you can show progress. A practical scale is:

  • Met — the safeguard is fully implemented and documented.
  • Partially met — some controls exist but there are gaps to close.
  • Not met — the safeguard is missing; this is where your risk concentrates.
  • Not applicable — the requirement genuinely does not apply (document why).

Weighting foundational safeguards (like your risk analysis and access controls) more heavily than addressable, good-practice items gives you a readiness score that reflects real exposure.

Turning the template into an audit-ready report

  1. Complete every applicable requirement with a status and short evidence note.
  2. Attach evidence — signed policies, screenshots, training records — to prove each answer.
  3. Summarize your gaps and prioritize them by risk level.
  4. Record dates and owners so the remediation plan is trackable.
  5. Keep it current — review at least annually and after any significant change.

Skip the spreadsheet — use a guided template

Wardably turns this template into a guided assessment: every requirement in plain language, a live readiness score, evidence attachments, and an audit-ready report you can export. Taking your current-year assessment is free.

Start your assessment free

Frequently asked questions

HHS doesn't publish a single mandatory template. The HHS Security Risk Assessment (SRA) Tool and NIST guidance are common starting points, but any format is acceptable as long as it produces an accurate, thorough analysis of the risks to your ePHI and is kept current.

An ePHI inventory, threats and vulnerabilities, current safeguards (Administrative, Physical, Technical), a likelihood-and-impact rating for each risk, and a documented remediation plan with owners and dates.

A spreadsheet can satisfy the documentation requirement, but it's easy to leave incomplete and hard to keep current. Guided tools reduce the risk of missing a required safeguard and make it easier to produce an audit-ready report each year.

Related HIPAA guides

This guide is for general educational purposes and is not legal advice. Consult a qualified professional for guidance specific to your organization.