I've watched more than a few covered entities scramble to reconstruct their risk assessment documentation hours before an OCR audit. The pattern is predictable: someone finds a HIPAA risk assessment template online, fills it out in an afternoon, and files it away. When the audit notice arrives, they discover what they have isn't actually a risk assessment—it's a checklist with some dates on it.
The gap between a compliant HIPAA risk assessment and a checkbox exercise is wider than most organizations realize. OCR knows the difference, and so do the auditors who conduct investigations following breaches. A real risk assessment identifies actual risk in your specific environment. A fake one just documents that you know the word "encryption" exists.
Here's what actually holds up when someone is reviewing your HIPAA compliance program.
What Makes a HIPAA Risk Assessment Different From a Generic Security Assessment
The HIPAA Security Rule requires a specific type of risk assessment. It's not the same as a vulnerability scan, a penetration test, or a general IT risk review—though those activities can feed into it.
A HIPAA risk assessment must evaluate risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity or business associate creates, receives, maintains, or transmits. That's the regulatory language, and every word matters.
This means you need to know where your ePHI actually is. Not where it's supposed to be according to your data flow diagrams from 2019, but where it actually exists today. In my experience working with healthcare organizations, this is where the first major gap appears. Organizations assume ePHI is only in their EHR system and their backup server. Then we find it in:
- Email archives that haven't been addressed in the retention policy
- Departmental file shares created by clinical staff who needed "temporary" storage
- Cloud collaboration tools that someone in billing started using during COVID
- Imaging systems that integrate with but aren't technically part of the EHR
- Laptops and mobile devices that access ePHI but aren't enrolled in device management
A real HIPAA risk assessment starts with asset inventory. Not just servers and applications—every system, device, and location where ePHI exists or could exist. If you can't enumerate what you're protecting, you can't assess risk to it.
The Difference Between Threats, Vulnerabilities, and Risks
Too many risk assessments I've reviewed conflate these three concepts. OCR guidance is clear about the distinction, and assessors expect you to demonstrate you understand it.
A threat is something that could cause harm: ransomware, insider access abuse, lost devices, natural disasters, vendor security failures. A vulnerability is a weakness that could be exploited: unpatched systems, weak authentication, lack of encryption, inadequate access controls. A risk is the likelihood that a threat will exploit a vulnerability, combined with the potential impact if it happens.
Your assessment needs to connect these elements. "We have unencrypted laptops" is a vulnerability observation. "We have unencrypted laptops that contain ePHI, they're used outside the office, and we've had two laptops reported lost in the past year" is a risk statement that connects vulnerability, threat, and likelihood.
This is why templates fail. They list generic threats and generic vulnerabilities, but they don't assess actual risk in your actual environment with your actual data and your actual threats.
Asset Inventory: The Foundation That Most Organizations Skip
You can't assess risk to assets you don't know exist. The HIPAA Security Rule doesn't explicitly mandate a formal asset inventory as a standalone requirement, but the risk assessment requirement makes it functionally mandatory. You can't comply with §164.308(a)(1)(ii)(A) without knowing what you're assessing.
When I work with organizations on their HIPAA risk assessment, we start with three inventories:
Systems and applications that create, receive, maintain, or transmit ePHI. This includes your obvious clinical systems, but also your billing systems, patient portals, appointment scheduling tools, analytics platforms, and any integrated third-party services. For each one, you need to know what ePHI it handles, where it's hosted, who has access, and what safeguards are in place.
Physical and virtual infrastructure that supports those systems. Servers, network devices, storage systems, backup systems, cloud infrastructure. You need to know what physical and environmental protections exist, what technical controls are implemented, and where the boundaries of your responsibility are—especially for cloud-hosted systems where shared responsibility models apply.
Devices that access ePHI. Workstations, laptops, tablets, mobile phones, medical devices with network connectivity, and any other endpoint that touches your ePHI. For each category, you need policies about encryption, authentication, remote access, and what happens when devices are lost or decommissioned.
The pattern I see in failed assessments is that organizations inventory their data center and stop there. They document their on-premises servers and declare victory. Meanwhile, half their clinical staff is accessing ePHI from personal devices through a patient portal vendor that nobody remembered to include in the business associate agreement review.
An accurate asset inventory is uncomfortable because it reveals scope you didn't want to acknowledge. That discomfort is the point. You're identifying risks you didn't know you had.
Threat and Vulnerability Analysis That Goes Beyond the Template
Once you know what assets you have, you assess threats and vulnerabilities specific to those assets. Not theoretical threats from a NIST catalog, but actual threat scenarios relevant to your organization.
A small pediatric practice and a regional hospital system face different threat profiles. The practice probably isn't a target for sophisticated nation-state actors, but they're absolutely a target for opportunistic ransomware and they're vulnerable to social engineering against a small staff with limited security training. The hospital has a larger attack surface, more complex vendor relationships, and often legacy medical devices that can't be patched.
Your threat analysis should consider:
- Human threats (intentional and unintentional): insiders with excessive access, social engineering, credential compromise, ransomware operators who specifically target healthcare
- Technical threats: malware, system vulnerabilities, misconfigurations, supply chain compromises through vendor systems
- Physical threats: unauthorized facility access, theft of devices or media, natural disasters affecting availability
- Environmental threats: power failures, HVAC failures affecting server rooms, connectivity disruptions
For each category of threat, you evaluate existing vulnerabilities. This is where technical assessments feed into your risk assessment: vulnerability scan results, penetration test findings, configuration reviews, access control audits, physical security assessments.
But vulnerabilities aren't just technical gaps. Inadequate policies are vulnerabilities. Lack of workforce training is a vulnerability. Not having a tested incident response plan is a vulnerability. Unclear vendor management processes are vulnerabilities. A complete HIPAA risk assessment addresses administrative, physical, and technical safeguards because vulnerabilities exist in all three domains.
Need to Train Your Team on HIPAA Risk Assessment?
Carl delivers keynote presentations and workshops on practical HIPAA compliance, risk assessment, and regulatory program management for healthcare organizations and their business associates.
Book Carl to SpeakRisk Determination: Where Likelihood Meets Impact
This is where a HIPAA risk assessment becomes more than documentation—it becomes decision support. You've identified your assets, enumerated threats, and cataloged vulnerabilities. Now you determine which risks are unacceptable and must be addressed.
OCR doesn't mandate a specific risk rating methodology, but they expect one that's consistent, documented, and actually used. Whether you use a qualitative scale (high/medium/low), a quantitative approach with numerical scores, or a matrix that combines likelihood and impact, the method needs to produce repeatable results that support decisions.
For each identified risk, you assess two dimensions:
Likelihood: How probable is it that this threat will exploit this vulnerability in your environment? This isn't a guess. It's informed by your threat intelligence, your historical incident data, your control effectiveness, and your environmental factors. A covered entity with no email filtering, no security awareness training, and a history of successful phishing attempts has a high likelihood of continued email-based compromises. That's not theoretical—it's observed pattern.
Impact: If this risk is realized, what's the consequence? For HIPAA purposes, impact includes potential harm to patients (privacy violation, safety issues from integrity or availability failures), financial impact (breach notification costs, OCR penalties, remediation costs, lawsuits), operational impact (downtime, loss of access to clinical systems), and reputational harm.
The combination of likelihood and impact gives you a risk level that drives decisions. High likelihood, high impact risks demand immediate mitigation. Low likelihood, low impact risks might be accepted with documentation of that decision. Everything in between requires judgment, which is why risk assessment is an analytical exercise, not an administrative one.
Here's what separates assessments that hold up from those that don't: the ability to explain why you rated specific risks the way you did. When an auditor asks why you rated unencrypted email as high risk but unencrypted fax transmissions as medium risk, you need a documented rationale based on your environment, your controls, and your threat profile. "That's what the template said" isn't a rationale.
What Auditors Actually Look for in HIPAA Risk Assessment Documentation
I've supported organizations through OCR compliance reviews, breach investigations, and third-party HIPAA assessments. The auditor questions follow predictable patterns, and they're designed to determine whether your risk assessment is real or performative.
Scope and Completeness
Auditors verify that your assessment covered all ePHI, not just the easy parts. They ask about specific systems and see if those systems appear in your inventory. They ask about business associates and cross-reference your risk assessment against your BAA inventory. Gaps indicate you didn't assess comprehensively.
One question I've seen stop organizations cold: "Walk me through how you identified all the locations where ePHI exists in your environment." If the answer is "we asked the IT director to make a list," that's a problem. A defensible answer describes a discovery process: network scanning, application inventory tools, interviews with department heads, review of vendor contracts, analysis of data flows.
Currency and Maintenance
Your risk assessment can't be a one-time event from 2018. The Security Rule requires periodic review and update. OCR expects you to reassess when your environment changes significantly—new systems, new locations, new business associates, after security incidents, after major technology changes.
Auditors look at dates. When was your last assessment? When did you implement that cloud EHR system? Those dates should align. If you migrated to a new platform eighteen months ago and your most recent risk assessment is three years old, you're not assessing current risk.
They also look for evidence that you acted on your assessment. If you identified twelve high-risk findings two years ago and implemented zero mitigations, you're not using the assessment to drive decisions. That suggests it exists for documentation purposes only.
Integration with Remediation
A risk assessment without remediation is just expensive documentation. Auditors expect to see that high and medium risks resulted in mitigation activities, either reducing the risk through controls or accepting the risk with documented justification.
Your remediation plan should tie directly to assessment findings. For each unacceptable risk, you should have documented decisions: what mitigation was implemented, when, who was responsible, and what residual risk remains. If you accepted a risk instead of mitigating it, that decision should be documented with rationale.
This is where I see the biggest disconnect. Organizations conduct an assessment, generate a list of findings, and then... nothing. The assessment sits in a folder while actual security decisions get made through different processes. When the auditor asks how the risk assessment influenced your security roadmap, there's no good answer because it didn't.
Evidence of Actual Analysis
Auditors can distinguish between authentic analysis and template completion. They ask questions designed to reveal whether you understand your own assessment:
- "Why did you rate this particular vulnerability as high risk?" If you can't explain your rationale, you didn't do analysis.
- "What changed between your 2023 assessment and your 2025 assessment?" If nothing changed, either your environment is static (unlikely) or you're reusing content.
- "How did you determine likelihood for ransomware risk in your environment?" A real answer references your controls, your threat intelligence, your industry sector, your historical data.
- "Show me how this risk assessment finding led to this implemented control." Can you draw a direct line from assessment to action?
These aren't gotcha questions. They're basic inquiries about whether the assessment represents actual work or checkbox compliance.
Common Failures That Sink Risk Assessments in Audit
After reviewing dozens of HIPAA risk assessments that failed to hold up under scrutiny, the failure modes cluster into recognizable patterns.
Template Dependence Without Customization
There's nothing wrong with using a framework or template as a starting point. The problem is treating the template as the deliverable. I've seen assessments that still reference sample data from the template, include threats irrelevant to the organization's actual environment, and omit entire categories of ePHI because they weren't in the template structure.
If your risk assessment includes findings about "mainframe security" but you don't have a mainframe, you copied content without thinking. Auditors notice.
Confusing Compliance Checklists with Risk Assessment
A compliance checklist evaluates whether you've implemented required safeguards. A risk assessment evaluates whether those safeguards are effective at reducing risk to acceptable levels. They're related but distinct activities.
Organizations sometimes submit a HIPAA Security Rule gap analysis as their risk assessment. That's not the same thing. A gap analysis tells you whether controls exist. A risk assessment tells you whether remaining risks are acceptable given your threat environment, your data sensitivity, and your impact tolerance.
No Connection Between Assessment and Budget
Your risk assessment should drive security investment decisions. If it identifies encryption of data at rest as a high-priority risk but you've allocated zero budget to implement encryption, something is broken. Either the assessment overstated the risk, or your budget process ignores the assessment findings.
When auditors see this disconnect, they question whether leadership actually uses the assessment for decision-making or whether it's a compliance artifact that gets filed and forgotten.
Treating It as an IT-Only Exercise
HIPAA risk assessment requires input from across the organization. Privacy officials need to weigh in on data handling practices. Compliance staff need to ensure BAAs are current and vendors are assessed. Legal needs to review incident response procedures. Clinical leadership needs to identify operational dependencies and acceptable downtime thresholds.
Assessments that come entirely from IT tend to overemphasize technical controls and miss administrative and physical risks entirely. They might correctly identify that backups aren't encrypted but completely miss that terminated employees still have facility access or that business associate agreements haven't been reviewed in five years.
Speaking on Healthcare Compliance and Privacy
Carl keynotes conferences and delivers workshops on HIPAA, healthcare privacy, AI in regulated environments, and building compliance programs that actually work. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventHow to Structure a Risk Assessment That Actually Holds Up
Based on what survives audit scrutiny, here's the structure that works. This isn't theoretical—it's what holds up when OCR or a third-party assessor is reviewing your program.
Executive Summary
Start with a summary that leadership will actually read. What's the overall risk posture? What are the three to five highest-priority risks identified? What major changes since the last assessment? What resources are needed to address unacceptable risks?
This section exists because risk assessment is pointless if it doesn't inform leadership decisions. Make it scannable and decision-focused.
Scope Definition
Document exactly what this assessment covered. Which systems, which locations, which business units, which time period. If you excluded anything from scope, state why. If you're a multi-location practice and only assessed your main office, that needs to be explicit so the limitation is understood.
Scope definition also includes your assessment methodology. What frameworks did you reference? Who conducted the assessment? What tools did you use? How did you gather information? This section establishes that you followed a documented process, not just someone's gut feeling.
Asset Inventory
List all systems, applications, infrastructure, and devices in scope. For each asset, identify what ePHI it handles, who owns it, where it's located (physical or logical), and what safeguards apply.
This doesn't need to be a 200-page appendix with every workstation serial number, but it needs to be complete enough that someone reviewing the assessment can verify you identified all ePHI repositories.
Threat and Vulnerability Analysis
For each asset category, identify applicable threats and existing vulnerabilities. Connect them to actual evidence: vulnerability scan results, access review findings, policy gaps, incident history, vendor assessment results.
Generic threat descriptions from NIST or HHS guidance are fine as a framework, but you need to contextualize them. Don't just say "insider threat exists"—describe what insider access looks like in your environment, what controls limit it, and what gaps remain.
Risk Determination and Prioritization
For each identified risk, document your likelihood and impact assessment and the resulting risk rating. Be explicit about your methodology. If you're using a risk matrix, include it. If you're using qualitative ratings, define what high/medium/low means in terms of likelihood and impact.
This section should produce a prioritized list of risks that require attention. Make it clear which risks are unacceptable and demand mitigation versus which risks might be acceptable with appropriate justification.
Remediation Recommendations
For each unacceptable risk, recommend specific mitigations. These should be actionable: implement multi-factor authentication for all remote access, encrypt all laptops containing ePHI, update business associate agreements to include current vendor list, conduct annual security awareness training.
Include estimated effort, cost, and timeline where possible. Leadership can't make informed decisions about risk mitigation without understanding resource requirements.
Risk Acceptance and Residual Risk
Document decisions to accept risks rather than mitigate them. For each accepted risk, state the rationale: low likelihood, compensating controls in place, cost of mitigation exceeds expected loss, technical mitigation not feasible with current systems.
Risk acceptance is legitimate, but it must be documented and approved by appropriate authority. "We identified this risk three years ago and never got around to fixing it" is different from "we assessed this risk, determined the likelihood is low given our compensating controls, and accepted it with executive approval."
Maintaining the Assessment Over Time
A HIPAA risk assessment isn't a point-in-time deliverable. It's a living process that evolves with your environment.
You need a documented schedule for reassessment. Most organizations assess annually at minimum, but you should also reassess when you make significant changes: new systems, new locations, mergers or acquisitions, major security incidents, or technology migrations. If you moved from on-premises infrastructure to a cloud-based EHR, that's a material change that requires reassessment.
Between formal reassessments, maintain a process for updating risk status as you implement mitigations. When you deploy encryption on all laptops, update your risk assessment to reflect that the vulnerability is remediated and residual risk is reduced. When you discover a new ePHI repository nobody knew about, add it to inventory and assess associated risks.
Track remediation progress against your assessment findings. If you identified fifteen high-risk findings eighteen months ago, you should be able to show status on all fifteen: which are fully remediated, which are in progress, which are blocked pending resources, which were accepted with documented rationale.
This ongoing maintenance is what separates organizations with mature compliance programs from those doing the minimum. A three-year-old risk assessment that hasn't been updated tells auditors you're not actually managing risk—you're managing documentation.
The Strategic Value of a Real Risk Assessment
Beyond satisfying the HIPAA Security Rule requirement, a legitimate risk assessment gives you something valuable: an evidence-based foundation for security investment decisions.
When you're competing for budget against clinical priorities, "we need to spend $50,000 on security tools" is a weak argument. "Our risk assessment identified that 30% of our workforce is using personal devices to access ePHI through unmanaged channels, creating a high-likelihood risk of unauthorized disclosure that could result in breach notification costs exceeding $200,000 plus OCR penalties, and we can mitigate this risk for $50,000 in mobile device management and endpoint protection" is a different conversation.
Risk assessment connects security spending to business impact. It forces you to think about what you're protecting, what threats are realistic, and what level of residual risk is acceptable. Those are strategic questions that deserve thoughtful analysis, not checkbox answers from a template.
For covered entities and business associates working in HIPAA compliance, the risk assessment is often the most scrutinized artifact in your security program. It's worth doing it right—not just to satisfy auditors, but because it makes you better at actually protecting the ePHI you're responsible for.
When I talk to healthcare leadership about building effective compliance programs, this is where I start. You can't protect what you haven't identified. You can't prioritize what you haven't assessed. And you can't justify investment in controls without demonstrating the risks they're designed to mitigate. A real HIPAA risk assessment gives you all three.