Free HIPAA Risk Assessment Template (2026)
Starting from a blank page is the hardest part of a HIPAA Security Risk Assessment. This guide breaks down exactly what a good template contains, how to score each gap, and how to turn your finished assessment into an audit-ready report.
What goes in a HIPAA risk assessment template
A useful template mirrors the structure the HIPAA Security Rule expects. At a minimum it should capture the following sections for every system that touches electronic protected health information (ePHI):
- ePHI inventory — where PHI is created, received, stored, and transmitted (EHR, email, devices, cloud apps, paper-to-digital workflows).
- Threats & vulnerabilities — the human, natural, and technical threats to each system.
- Current safeguards — the Administrative (§164.308), Physical (§164.310), and Technical (§164.312) controls already in place.
- Likelihood & impact — a rating for each threat/vulnerability pair so risks can be prioritized.
- Remediation plan — the corrective action, owner, and target date for each gap.
How to score each requirement
Rather than a simple pass/fail, most templates use a status per requirement so you can show progress. A practical scale is:
- Met — the safeguard is fully implemented and documented.
- Partially met — some controls exist but there are gaps to close.
- Not met — the safeguard is missing; this is where your risk concentrates.
- Not applicable — the requirement genuinely does not apply (document why).
Weighting foundational safeguards (like your risk analysis and access controls) more heavily than addressable, good-practice items gives you a readiness score that reflects real exposure.
Turning the template into an audit-ready report
- Complete every applicable requirement with a status and short evidence note.
- Attach evidence — signed policies, screenshots, training records — to prove each answer.
- Summarize your gaps and prioritize them by risk level.
- Record dates and owners so the remediation plan is trackable.
- Keep it current — review at least annually and after any significant change.
Skip the spreadsheet — use a guided template
Wardably turns this template into a guided assessment: every requirement in plain language, a live readiness score, evidence attachments, and an audit-ready report you can export. Taking your current-year assessment is free.
Start your assessment freeFrequently asked questions
Related HIPAA guides
- HIPAA Risk Assessment: A Step-by-Step Guide
- HIPAA Compliance Checklist for 2026
- The HIPAA Security Rule Explained
This guide is for general educational purposes and is not legal advice. Consult a qualified professional for guidance specific to your organization.