More than 52 million people had their private health information exposed in 2022 in more than 700 breaches, according to an analysis by Healthcare Dive. This is a drastic increase from the 6 million people that were affected in 2010, the first full year that data on healthcare breaches was available.

Fortunately, there are steps you can take to avoid contributing to data breach statistics. A HIPAA risk assessment is a crucial step for anyone looking to become HIPAA compliant and improve the safety of their sensitive information. 

We dig into what a risk assessment includes and how to conduct one below. Jump to our HIPAA risk assessment checklist for a handy cheat sheet. 

What is a HIPAA risk assessment?

Illustration of a computer network and stethoscope along with text describing the definition of a HIPAA risk assessment

A HIPAA risk assessment is a requirement that helps organizations identify, prioritize, and manage potential security breaches. This assessment is an internal audit that examines how PHI is stored and protected. It helps businesses identify weaknesses and improve information security.

The HIPAA Security Rule requires covered entities and business associates to conduct risk assessments to keep protected health information (PHI) safe.  

Why are HIPAA risk assessments important?

Many patients have their health information stored electronically. So the risk of a breach of their ePHI, or electronic protected health information, is very real.

Organizations must regularly assess their security posture to spot weaknesses and proactively keep patient information safe. A risk assessment is one way to do that, and is required for HIPAA compliance. 

Failure to comply with HIPAA regulations can result in costly fines, a damaged reputation, and in some cases, even criminal penalties. Conducting regular risk assessments can help you avoid HIPAA violations and keep information secure. 

How to conduct a HIPAA risk analysis in 6 steps

Illustration of the six steps to help you conduct a HIPAA risk assessment

It’s important to note that there’s no “right way” to do a HIPAA risk analysis. 

HIPAA doesn’t provide specific instructions on how to do a risk assessment, because it recognizes that every company is different. 

However, there are several elements that should be considered in every risk assessment. 

1. Define the scope

The scope of your risk assessment will factor in every potential risk to PHI. Think about not only where PHI is stored (electronically or physically), but also the devices ePHI is stored on. 

The Department of Health and Human Services (HHS) provides a few questions to ask during the scoping stage: 

  • Have you identified the PHI within your organization? 
  • What are the external sources of PHI? For example, do vendors create, receive, maintain, or transmit PHI?
  • What are the human, natural, and environmental threats to information systems that contain PHI?

While defining scope, you should also be documenting where PHI is stored, received, maintained, and transmitted.

2. Identify potential weaknesses

Organizations must also identify and document vulnerabilities that could result in a PHI breach. 

This can be done by reviewing past or current projects, performing interviews with staff that handle PHI, and reviewing documentation.  

Illustration of the four types of threats facing PHI: deliberate human actions, inadvertent human actions, technical system failure, and man-made or natural disaster.

3. Monitor the effectiveness of security measures

Businesses should also assess the security measures in place to protect PHI. All safeguards should be documented. 

Current security practices should then be measured against the security requirements outlined in the HIPAA Security Rule. Any gaps or improperly used measures should be re-assessed. 

4. Determine and assign risk levels

After identifying potential risks, organizations can predict the likelihood of threat occurrence and estimated impact. 

Organizations often use a scale of 1 to 5 to measure likelihood and impact, with 1 meaning very unlikely and 5 meaning very likely. For the impact, 1 could mean negligible and 5 could mean severe.

5. Prioritize risks based on likelihood and potential impact

When all threats have been measured by impact and likelihood, organizations can prioritize threats. 

The level of risk is highest when a threat is likely to occur and will have a significant impact on the business. Once prioritized, risks should be documented along with any measures put in place to mitigate them.

6. Review and update your risk analysis on a regular basis

Once you’ve completed a risk assessment and implemented any security measures that were lacking or nonexistent, you can breathe a little easier.   

HHS instructs a risk assessment to be periodically reviewed and updated as needed.

While HIPAA doesn’t have a requirement about how frequently you should conduct a risk assessment, experts recommend they be done annually or bi-annually.  

HIPAA risk assessment checklist

We’ve created a checklist to help guide you through the HIPAA risk assessment process. You can download it below. 

Blue rectangle with text reading: Download the HIPAA Risk Assessment Checklist

How Secureframe can help with HIPAA compliance

Working with a company like Secureframe makes it easy to determine what PHI you handle and how it moves through your organization, which is a crucial complement to a risk assessment. 

We can also help you evaluate your security safeguards and identify weaknesses to provide a clear picture of your security posture. 

For more information on how Secureframe can help you achieve and maintain HIPAA compliance, request a demo


Who is required to perform a HIPAA risk assessment?

Both covered entities and business associates of covered entities are required to perform a HIPAA risk assessment. 

A covered entity includes health plan providers, health care providers, and health care clearinghouses. Business associates include software companies with access to PHI, medical transcription companies, lawyers, and accountants.

How often is a HIPAA risk assessment required?

HIPAA does not specify how often risk assessments need to be performed, but it does state that “regular” analyses of safeguards should be conducted. 

Many organizations choose to conduct an annual risk assessment, but you can determine the best practice for your organization based on the circumstances of your environment.

What are technical and non-technical safeguards?

Technical safeguards are part of hardware and software that keep ePHI safe. Examples include encryption methods, authentication, and automatic logoff. 

Non-technical safeguards are management and operational controls to help train people on best practices related to PHI. These include guidelines, accountability measures, and physical security measures.