Risk Management

HIPAA Risk Assessment Template

A guided HIPAA security risk assessment based on the NIST SP 800-30 methodology. Answer 22 questions about your practice's safeguards and receive a risk score with prioritized remediation steps you can print for documentation.

March 9, 2026

Progress: 0 of 22 questions0%

Answer each question about your practice's current security controls. Select “N/A” for questions that don't apply to your organization.

ePHI Inventory & Data Flow

Identifying where electronic protected health information lives, moves, and is stored.

0/4

Have you identified all systems that create, receive, maintain, or transmit ePHI?

EHR, billing software, email, fax servers, cloud storage, mobile devices, backup systems.

45 CFR §164.308(a)(1)(ii)(A)

High Impact

Have you documented all data flows showing how ePHI moves within and outside your organization?

Include data sent to labs, clearinghouses, referral providers, and cloud services.

45 CFR §164.308(a)(1)(ii)(A)

Do you maintain an inventory of all hardware and electronic media containing ePHI?

Workstations, laptops, tablets, USB drives, backup tapes, server hard drives.

45 CFR §164.310(d)(1)

Have you identified all business associates who access or handle ePHI on your behalf?

IT vendors, cloud providers, billing companies, shredding services, EHR hosts.

45 CFR §164.308(b)(1)

High Impact
Access Controls

Ensuring only authorized individuals can access ePHI based on their role.

0/5

Does each user have a unique login credential for systems containing ePHI?

No shared logins, generic accounts, or posted passwords.

45 CFR §164.312(a)(2)(i)

High Impact

Do you enforce role-based access so staff only see ePHI needed for their job?

Front desk can see scheduling but not clinical notes. Billing sees charges but not psychotherapy notes.

45 CFR §164.312(a)(1)

Do you have an automatic session timeout or lock on workstations?

Screens should lock after 2-5 minutes of inactivity in clinical areas.

45 CFR §164.312(a)(2)(iii)

Do you use multi-factor authentication (MFA) for remote access to ePHI?

Password + text code, authenticator app, or hardware key for VPN, email, and cloud EHR access.

45 CFR §164.312(d)

High Impact

Do you promptly revoke access when employees leave or change roles?

Same-day deactivation for terminations. Role changes trigger access review within 48 hours.

45 CFR §164.308(a)(3)(ii)(C)

High Impact
Encryption & Transmission Security

Protecting ePHI at rest and in transit with industry-standard encryption.

0/4

Is ePHI encrypted at rest on all devices (laptops, desktops, servers, mobile)?

Full-disk encryption (BitLocker, FileVault) or database-level AES-256.

45 CFR §164.312(a)(2)(iv)

High Impact

Is ePHI encrypted in transit (TLS 1.2+ for email, web portals, file transfers)?

HTTPS for patient portals, encrypted email or secure messaging for PHI.

45 CFR §164.312(e)(1)

High Impact

Are backup copies of ePHI encrypted and stored securely (offsite or cloud)?

Backup encryption + access controls + tested restoration procedures.

45 CFR §164.308(a)(7)(ii)(A)

Do you have a policy prohibiting ePHI transmission via unencrypted channels (standard SMS, consumer email)?

No PHI in regular text messages, personal Gmail, or WhatsApp.

45 CFR §164.312(e)(2)(ii)

Physical Security

Controlling physical access to facilities and equipment containing ePHI.

0/4

Is access to areas containing ePHI systems restricted (locked doors, badge access)?

Server rooms, medical records areas, and workstation areas with PHI visibility.

45 CFR §164.310(a)(1)

Are workstation screens positioned to prevent unauthorized viewing by patients or visitors?

Privacy screens, monitor placement, clean desk policies in shared areas.

45 CFR §164.310(c)

Do you have procedures for sanitizing or destroying media before disposal?

Hard drive wiping (NIST 800-88), physical destruction, certified shredding for paper records.

45 CFR §164.310(d)(2)(i)

Do you maintain logs of who accesses restricted areas containing ePHI?

Visitor sign-in sheets, badge swipe logs, security camera coverage of server areas.

45 CFR §164.310(a)(2)(iii)

Policies, Training & Incident Response

Administrative safeguards including documentation, workforce training, and breach procedures.

0/5

Do you have written HIPAA security policies and procedures that staff can access?

Documented and available — not just a binder on a shelf. Covers all Security Rule standards.

45 CFR §164.316(a)

Do all workforce members receive HIPAA security training at hire and annually?

Training must cover PHI handling, password policies, phishing awareness, and incident reporting.

45 CFR §164.308(a)(5)(i)

Do you have a documented incident response plan for potential breaches?

Who to contact, investigation steps, 60-day notification timeline, breach log.

45 CFR §164.308(a)(6)(i)

High Impact

Do you have executed Business Associate Agreements with all vendors who handle ePHI?

Cloud EHR, IT support, billing companies, answering services, shredding vendors.

45 CFR §164.308(b)(4)

High Impact

Do you maintain audit logs of who accessed ePHI and review them regularly?

EHR access logs reviewed monthly or quarterly for unauthorized access patterns.

45 CFR §164.312(b)

What Is a HIPAA Risk Assessment?

A HIPAA risk assessment (also called a security risk analysis) is a systematic evaluation of potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It's required under 45 CFR §164.308(a)(1)(ii)(A) for every covered entity and business associate, regardless of size.

Unlike a simple checklist, a risk assessment quantifies each risk by combining how likely the threat is with how severe the impact would be — following the same methodology used by OCR auditors and recommended by NIST SP 800-30.

How Often Is HIPAA Risk Assessment Required?

Legally required

Every covered entity and business associate must conduct a risk assessment under the HIPAA Security Rule.

At least annually

OCR expects assessments at least once per year and whenever significant changes occur (new EHR, office move, breach).

All practice sizes

Solo practitioners to large health systems. The scope scales with your organization, but the requirement doesn't shrink.

OCR enforcement reality: Failure to conduct a risk assessment is the #1 finding in HIPAA audits and settlements. Penalties range from $145 to $73,011 per violation, with an annual maximum of $2,190,294 per violation category (2026 figures).

How to Use This Assessment

  1. 1Enter your practice name and work through each of the 5 assessment categories
  2. 2Answer each question honestly — Yes, Partial, No, or N/A
  3. 3Click "Generate Risk Report" to see your risk score and severity breakdown
  4. 4Review the prioritized remediation plan, starting with Critical findings
  5. 5Print or copy the report for your compliance documentation files

For a broader compliance review beyond security, use our HIPAA Compliance Checklist which covers the Privacy Rule and Breach Notification Rule as well. If you need to formalize vendor relationships, our BAA Template Generator creates compliant Business Associate Agreements.

NIST SP 800-30 Methodology

This tool follows the risk assessment framework from NIST Special Publication 800-30, the methodology recommended by HHS for HIPAA compliance. Each identified risk is scored using two factors:

Likelihood

How probable is this threat? Based on current controls, threat sources, and vulnerability severity.

Impact

How severe would the consequence be? Based on data sensitivity, number of records, and regulatory penalties.

The resulting risk matrix maps each finding to a severity level: Low, Medium, High, or Critical. This is the same approach used by OCR auditors when evaluating compliance. For training and documentation requirements beyond security controls, review our dedicated guides.

Related Tools & Guides

HIPAA Compliance Checklist

Interactive checklist covering Privacy Rule, Security Rule, and Breach Notification requirements.

BAA Template Generator

Generate Business Associate Agreements for vendors who handle your ePHI.

Who Does HIPAA Apply To?

Determine whether your organization is a covered entity or business associate.

HIPAA Minimum Necessary Rule

Understand when and how to limit PHI access to the minimum required.