Every HIPAA risk assessment I review commits the same fundamental error. The document is titled “Risk Assessment.” The content is a checklist. MFA: yes. Encryption: yes. Backup: yes. A series of binary answers telling OCR investigators which controls exist and which are missing. HHS does not ask for a checklist. HHS asks for probability and impact calculations for specific threats exploiting specific vulnerabilities in your environment [HIPAA 164.308(a)(1)(ii)(A)].
The distinction is not semantic. A checklist identifies what you have. A HIPAA risk assessment calculates how likely each threat is to succeed and how severe the consequences would be. HHS enforcement data shows 71% of resolution agreements cite an incomplete or missing risk assessment as a primary finding [HHS OCR 2024 Annual Report]. Organizations submitting gap analyses labeled as risk assessments account for the majority of those findings.
Five steps separate a compliant risk assessment from a checklist: ePHI inventory (including shadow AI), threat identification mapped to your specific environment, risk calculation using the probability-impact formula, tool-assisted scoring, and documented risk acceptance decisions.
A HIPAA risk assessment is a mandatory process under 164.308(a)(1)(ii)(A) requiring covered entities to identify where ePHI resides, determine reasonably anticipated threats, and calculate each threat’s probability and impact. The assessment produces a risk score (Likelihood x Impact) for every threat-vulnerability pair, driving remediation priorities [HIPAA 164.308(a)(1)(ii)(A)].
Why Do Most Organizations Submit a Gap Analysis Instead of a Risk Assessment?
The most common HIPAA audit failure: organizations submit a gap analysis when the regulation requires a risk assessment. The two documents serve different purposes and produce different outputs.
Gap Analysis vs. Risk Assessment
A gap analysis asks binary questions: “Do you have multi-factor authentication? Yes or No.” A risk assessment asks probability questions: “How likely is an unauthorized user to access ePHI through a compromised credential, and what is the impact if they succeed?” The gap analysis identifies missing controls. The risk assessment quantifies the organizational risk of each gap and prioritizes remediation by risk score, not by control category.
HHS OCR Guidance on Risk Analysis requires covered entities to calculate the probability and impact of threats exploiting vulnerabilities in systems containing ePHI [HIPAA 164.308(a)(1)(ii)(A)]. A checklist without probability and impact ratings fails this requirement regardless of how many controls it evaluates.
Review your current HIPAA compliance documentation. If your “risk assessment” consists of a checklist with Yes/No answers and no probability or impact ratings, replace it with a structured risk assessment using the Likelihood (1-5) x Impact (1-5) = Risk Score (1-25) formula. Each row documents a specific threat scenario, the vulnerability it exploits, the affected ePHI system, the likelihood rating with justification, the impact rating with justification, and the resulting risk score driving remediation priority.
Step 1: ePHI Inventory
The average healthcare organization uses 14 cloud-based applications touching patient data [HIMSS 2024], and the risk assessment starts with a complete inventory of every system, device, and application creating, receiving, maintaining, or transmitting electronic protected health information. You cannot assess risk to assets you have not identified [HIPAA 164.308(a)(1)(ii)(A)].
The Four Inventory Categories
Hardware: Workstations, laptops, mobile devices, servers, medical IoT devices, and network equipment. Include legacy systems (MRI machines running deprecated operating systems, diagnostic equipment with embedded storage). Software: EHR systems, practice management software, billing platforms, telehealth applications, and clinical decision support tools. Cloud Services: Email (Microsoft 365, Google Workspace), file storage (Google Drive, OneDrive, Dropbox), communication platforms (Zoom, Teams, Slack). AI Tools: Any AI-powered service workforce members use with patient data, including AI scribes, clinical note summarizers, and general-purpose tools like ChatGPT.
The Shadow AI Update
In 2026, shadow IT extends beyond unauthorized cloud storage to unauthorized AI tool usage. Clinicians pasting patient notes into ChatGPT for summarization, staff using AI scribes on personal devices, or billing teams uploading claims data to AI analysis tools create ePHI exposure your inventory must capture. Survey each department about AI tool usage. If the tool processes patient data and does not operate under a Business Associate Agreement, it represents an uncontrolled ePHI disclosure [HIPAA 164.502(a)].
Build your ePHI inventory as a spreadsheet with columns for: system/device name, category (hardware/software/cloud/AI), ePHI types stored or processed, location (on-premises/cloud/hybrid), BAA status (yes/no/not applicable), encryption status (at rest/in transit), and access control method. Include every asset touching ePHI, including personal devices used under BYOD policies. Survey each department head specifically about AI tool usage. An incomplete inventory produces an incomplete risk assessment producing an incomplete remediation plan.
Step 2: Threat Identification
HIPAA requires identifying “reasonably anticipated threats” to the confidentiality, integrity, and availability of ePHI [HIPAA 164.306(a)(2)]. Document threats across three categories, not only cyber attacks.
Three Threat Categories
Human threats: Workforce members losing unencrypted devices, clicking phishing links, sharing credentials, or accessing records without authorization (the “curiosity breach”). Environmental threats: Power outages disabling server room cooling, water damage to on-premises infrastructure, or natural disasters affecting facility access. Technical threats: Ransomware encrypting billing databases, SQL injection against patient portals, credential stuffing attacks against workforce accounts, and supply chain compromise through vendor software updates.
An assessment listing only “cyber attacks” is incomplete. OCR investigators verify your threat identification covers all three categories. The 2024 HHS enforcement actions cited multiple organizations for failing to identify environmental and human threats alongside technical threats [HHS OCR 2024].
Create a threat catalog documenting at least 15-20 specific threat scenarios across all three categories (human, environmental, technical). For each threat, identify the specific vulnerability it exploits and the ePHI system affected. Example: “Ransomware attack (technical threat) exploiting unpatched VPN concentrator (vulnerability) affecting billing database containing 50,000 patient records (ePHI system).” Specificity in threat identification produces specificity in remediation planning.
Step 3: Risk Calculation
Organizations with documented probability and impact calculations reduce OCR findings by 60-80%, because the risk calculation transforms the assessment from a gap analysis into the legal document HIPAA requires. For every threat-vulnerability pair, assign two scores: Likelihood (probability the threat exploits the vulnerability) and Impact (damage to the organization if it occurs) [HIPAA 164.308(a)(1)(ii)(A)].
The Risk Score Formula
Risk Score = Likelihood (1-5) x Impact (1-5)
Four common threat scenarios illustrate how the formula translates vulnerability-threat pairs into prioritized remediation actions.
| Threat Scenario | Vulnerability | Risk Score |
|---|---|---|
| Ransomware attack | No offline backups, no endpoint detection | Critical (L:5 x I:5 = 25): Remediate immediately |
| Lost laptop | Unencrypted hard drive | High (L:4 x I:4 = 16): Remediate within 30 days |
| Phishing email | No email filtering, no security awareness training | Medium (L:3 x I:3 = 9): Schedule remediation |
| Power outage | No generator, no UPS for servers | Low (L:2 x I:2 = 4): Accept with documentation |
Document the justification for each likelihood and impact rating. “Likelihood: 5 because ransomware targeting healthcare organizations increased 73% year over year [HHS OCR 2024] and the organization lacks endpoint detection” provides the rationale OCR investigators verify. Ratings without justification appear arbitrary and invite scrutiny.
Use the free HHS Security Risk Assessment (SRA) Tool to structure your risk calculation. The SRA Tool walks through the exact questions an OCR investigator asks and generates the final report. Download the desktop version to keep assessment data local. For each threat-vulnerability pair, document: the threat scenario, the affected system, current safeguards in place, likelihood rating (1-5) with justification, impact rating (1-5) with justification, risk score, and planned remediation action with target date.
Step 4: Risk Acceptance Documentation
Budget constraints prevent immediate remediation of every identified risk, and ignoring a known risk constitutes willful neglect under HIPAA, increasing penalties from $100-$50,000 to $50,000+ per violation [HIPAA 164.404]. Budget constraints, legacy system dependencies, and business continuity requirements create situations where the organization accepts a risk for a defined period. HIPAA permits risk acceptance when documented with formal justification [HIPAA 164.306(b)(2)(iv)].
The Risk Acceptance Memo
For each accepted risk, document four fields: the risk description, the justification for acceptance (cost exceeds benefit, compensating control in place, remediation planned for next budget cycle), the compensating control reducing exposure, and the review date (no more than 12 months from acceptance). The risk acceptance memo proves your organization manages risk deliberately rather than ignoring it. Ignoring a known risk constitutes willful neglect under HIPAA enforcement guidelines, increasing penalty tiers from $100-$50,000 per violation to $50,000 per violation with no cap [HIPAA 164.404].
Create a Risk Acceptance Register as an appendix to your risk assessment. For each accepted risk, document: risk description, risk score, justification for acceptance, compensating control, risk owner (name and title), acceptance date, and review date. The risk owner must hold management authority over the affected system. Set review dates at 6-month or 12-month intervals. During each review, reassess the risk score against current threat intelligence and document the decision to continue accepting, escalate, or remediate. The register demonstrates active risk management throughout the assessment period.
Ongoing Assessment: Process, Not Project
A HIPAA risk assessment is a living document updated whenever the ePHI environment changes. HIPAA requires “periodic” reassessment [HIPAA 164.308(a)(8)]. OCR interprets “periodic” as annually at minimum, with updates triggered by significant changes: new EHR deployment, cloud migration, office relocation, workforce expansion, or new vendor onboarding.
Update the assessment when any of these occur: adding a new system processing ePHI, changing cloud providers, experiencing a security incident, or onboarding a new business associate. An assessment documenting your environment 18 months ago while you migrated to a new EHR 6 months ago contains stale risk calculations the OCR investigator identifies immediately.
Schedule annual risk assessment reviews on your compliance calendar. Define triggering events requiring interim updates in your Information Security Policy: new ePHI system deployment, cloud migration, vendor change, security incident, or regulatory change. Assign the assessment update to a named owner (Privacy Officer or Security Officer) with a 30-day completion window from the triggering event. Document each update with the date, trigger, and changes made to the risk register.
A checklist is not a risk assessment. The distinction costs organizations six- and seven-figure settlement agreements with HHS OCR. Download the free SRA Tool. Inventory every system touching ePHI, including the AI tools your staff adopted without approval. Calculate probability and impact for every threat-vulnerability pair. Document risk acceptance for gaps you cannot fix immediately. An assessment with 50 identified risks and 45 documented acceptances demonstrates better risk management than a perfect checklist with no risk calculations.
Frequently Asked Questions
What is a HIPAA risk assessment?
A HIPAA risk assessment is a mandatory process under 164.308(a)(1)(ii)(A) requiring covered entities to identify where ePHI resides, determine reasonably anticipated threats, and calculate the probability and impact of each threat exploiting a vulnerability. The output is a risk score for every threat-vulnerability pair driving remediation priorities. A gap analysis (control checklist) does not satisfy this requirement [HIPAA 164.308(a)(1)(ii)(A)].
How often must I conduct a HIPAA risk assessment?
HIPAA requires “periodic” reassessment [HIPAA 164.308(a)(8)]. OCR interprets this as annually at minimum. Trigger interim updates for significant changes: new EHR deployment, cloud migration, office relocation, security incident, or new business associate onboarding. An assessment older than 12 months without documented updates raises immediate flags during OCR investigations.
Does my EHR vendor handle the risk assessment for me?
Your EHR vendor secures their cloud infrastructure and provides their own SOC 2 report or security attestation. They do not assess risk for your environment: your workstations, your network, your staff’s password practices, your physical security, or your AI tool usage. The covered entity bears responsibility for its own risk assessment regardless of how many vendors handle ePHI on its behalf [HIPAA 164.308(a)(1)].
Are small practices exempt from risk assessments?
The HIPAA Security Rule applies to all covered entities regardless of size [HIPAA 164.302]. A solo therapist conducting the assessment using the free HHS SRA Tool satisfies the requirement. The scope scales to the practice size: a solo practitioner with five systems produces a smaller assessment than a 500-bed hospital. The requirement to calculate probability and impact remains identical.
What is the difference between a risk assessment and a gap analysis?
A gap analysis asks binary questions about control existence (Yes/No). A risk assessment calculates the probability and impact of threats exploiting vulnerabilities using a quantified scoring methodology (Likelihood x Impact = Risk Score). HIPAA requires the risk assessment with documented probability and impact calculations. A gap analysis without risk scoring fails OCR review regardless of how thorough the control evaluation appears.
What tool should I use for the risk assessment?
HHS provides the free Security Risk Assessment (SRA) Tool walking through the exact questions OCR investigators ask. Download the desktop version to keep data local. The SRA Tool generates the final report in a format OCR recognizes. For mid-sized organizations, engage a third-party assessor ($8,000-$25,000) providing objective evaluation and independent documentation.
Get The Authority Brief
Weekly compliance intelligence for security leaders and technology executives. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
