Conducting a HIPAA risk assessment requires a structured, systematic approach. This step-by-step guide walks you through the entire process, from initial planning through documentation and remediation planning. Whether this is your first assessment or your annual update, follow these steps to ensure comprehensive and compliant evaluation.
Risk Assessment Timeline
Total duration typically ranges from 6-12 weeks depending on organization size and complexity:
Week 1-2: Planning and team assembly
Week 2-4: System inventory and documentation
Week 4-8: Risk identification and analysis
Week 8-10: Documentation and reporting
Week 10-12: Review, approval, and remediation planning
Step 1: Plan and Establish Scope (Week 1-2)
1 Define Assessment Scope
Determine what systems, locations, and processes will be included in the assessment. Your scope should cover:
- All systems handling electronic protected health information (ePHI)
- All physical locations where PHI is stored or accessed
- All workforce members with PHI access
- All business associates and third-party vendors
- Cloud services and off-site systems
- Telehealth and remote access systems
2 Assemble Assessment Team
Select representatives from multiple departments:
- Compliance/Privacy Officer: Leads assessment and ensures regulatory compliance
- IT Director/Manager: Assesses technical controls and systems security
- IT Staff: Provide technical details and system configuration knowledge
- Clinical Leadership: Represent clinical workflow and patient care perspective
- Operations Manager: Address physical security and administrative controls
- Security Officer: If separate role, lead risk prioritization and remediation
3 Select Assessment Methodology
Choose an approach for conducting the assessment:
- Internal team conducting comprehensive self-assessment
- External consultant leading assessment process
- Hybrid approach with external consultant oversight
- Specialized risk assessment software platform
Document your chosen methodology for compliance purposes.
4 Schedule and Communicate
Establish timeline and communicate to stakeholders:
- Send notice to all departments about upcoming assessment
- Schedule key team meetings and interviews
- Request documentation and system information from IT and operations
- Set expectations for staff participation and response times
- Identify assessment lead or external vendor if applicable
Step 2: Inventory Systems and Assets (Week 2-4)
5 Document All Information Systems
Create comprehensive inventory of systems handling PHI:
- Electronic health record (EHR) system and version
- Practice management/billing systems
- Backup and disaster recovery systems
- Email and messaging platforms
- File servers and data storage
- Computers, laptops, tablets, and mobile devices
- Printers, copiers, and scanners with storage
- Cloud services (Microsoft 365, Google Workspace, etc.)
- Telehealth platforms
- Third-party applications and integrations
For each system, document: vendor, version, number of users, data handled, physical location, and criticality to operations.
6 Map Data Flows
Document how PHI moves through your organization:
- How patient data originates (intake, lab results, imaging)
- Systems where data is stored or processed
- Transmission methods between systems
- Data access by different user roles
- Export and reporting functions
- Data disposal and archival processes
7 Identify Physical Locations
Document all locations where PHI is handled:
- Clinic or office locations
- Server rooms and data centers
- Offsite storage locations
- Disaster recovery or backup sites
- Vendor or business associate locations
Step 3: Identify Threats and Vulnerabilities (Week 4-8)
8 Identify Threats
Systematically catalog potential threats to your systems and PHI:
- External threats: Hacking, ransomware, DDoS, exploitation of vulnerabilities
- Internal threats: Unauthorized access, data theft, sabotage by employees
- Environmental threats: Natural disasters, power outages, fires, flooding
- Human error: Misconfiguration, accidental disclosure, lost devices
- Malware: Viruses, spyware, trojans, worms
Consider industry threat data and historical incidents in healthcare.
9 Assess Vulnerabilities
Evaluate systems and processes for security gaps:
- Technical: Unpatched software, weak authentication, missing encryption, outdated systems
- Administrative: Weak policies, inadequate training, insufficient access controls
- Physical: Unsecured equipment, unauthorized facility access, inadequate surveillance
- Personnel: Insufficient background checks, inadequate security training, poor incident response
Use vulnerability scanning tools, policy review, interviews, and documentation review to identify gaps.
10 Document Current Controls
For each identified vulnerability, document:
- Current security controls that mitigate the threat
- Effectiveness rating of each control (Strong, Adequate, Weak, Missing)
- Evidence of control implementation (policies, audit logs, configuration screenshots)
- Gaps where controls are inadequate or missing
11 Conduct Risk Interviews
Meet with key stakeholders to understand operations and identify risks:
- Clinical staff about workflow and system usage
- IT staff about system architecture and security
- Operations staff about physical security and procedures
- Management about business priorities and constraints
Use these interviews to validate findings and identify risks that technical assessment alone might miss.
Step 4: Calculate Risk and Prioritize (Week 8-10)
12 Rate Risk for Each Finding
For each identified threat-vulnerability combination, calculate risk using this formula:
Risk = (Threat Likelihood × Vulnerability Severity × Asset Value) / Control Effectiveness
This produces risk ratings: Critical, High, Medium, or Low
13 Prioritize Risks
Create prioritized list by risk level:
- Critical: Address immediately or implement interim protections
- High: Address within 30-60 days
- Medium: Address within 90 days
- Low: Address within 6-12 months
Step 5: Document and Report (Week 10-12)
14 Prepare Risk Assessment Report
Create comprehensive documentation including:
- Executive summary for leadership
- Detailed system inventory and scope
- Threat and vulnerability identification process
- Risk assessment methodology and calculations
- Detailed findings with evidence
- Prioritized risk register
- Recommended remediations
- Sign-off and approval dates
15 Review and Approve Assessment
Ensure assessment receives appropriate review:
- Compliance officer reviews for completeness and methodology
- IT leadership reviews for technical accuracy
- Executive leadership or board reviews for organizational impact
- Get formal sign-off and approval
- Document version control and approval dates
Streamline Your Assessment Process
Following these steps manually is time-intensive. Medcurity's assessment platform guides you through each step with templates, automated scoring, and professional reporting capabilities.
Automate Your Assessment Process
Step 6: Plan and Track Remediation
16 Develop Remediation Plan
For each identified risk, create remediation plan specifying:
- Specific remediation action
- Responsible party or owner
- Target completion date
- Resources required
- Success criteria
17 Implement Interim Controls
For critical and high-risk items you cannot immediately remediate, implement interim compensating controls:
- Alternative security measures that reduce risk
- Enhanced monitoring or manual processes
- Restricted access or usage
- Document interim measures in writing
18 Track and Report Progress
Monitor remediation implementation:
- Track progress against target dates
- Document completion evidence
- Validate effectiveness of remediations
- Report status to leadership quarterly
- Adjust timeline as needed with documentation
Frequently Asked Questions
Q: How long does a complete risk assessment take?
Typically 6-12 weeks from planning through documentation. Smaller organizations might complete in 4-6 weeks; large health systems may need 3-4 months. Ongoing annual updates are usually faster (4-6 weeks) once the initial process is established and documentation is current.
Q: What if our organization doesn't have IT staff?
Many small practices use IT vendors or managed service providers to support the technical assessment components. The assessment can be conducted with a combination of internal staff, your IT vendor, and possibly external consultants. Critical that assessment team includes someone with technical knowledge.
Q: Can we conduct assessment while systems are in use?
Yes, assessment should not significantly disrupt operations. Interviews and documentation review can occur during normal business hours. Vulnerability scanning can be scheduled during off-hours if desired. Some assessment activities (policy review, process documentation) don't require system access.
Q: What if we discover major vulnerabilities during assessment?
Document them thoroughly and address immediately if they pose critical risk to PHI. Implement interim protective measures while planning permanent remediation. Update your risk register with realistic timelines. This is normal—assessments often identify gaps that need urgent attention.