HIPAA

HIPAA Risk Assessment: The 2026 Step-by-Step Guide

A CPA firm's method for the risk analysis HIPAA actually requires — OCR's nine elements grouped into six steps, a likelihood x impact scoring model, and a worked sample risk register.

The short answer

A HIPAA risk assessment — formally the “risk analysis” required by 45 CFR 164.308(a)(1)(ii)(A) — is an accurate, thorough evaluation of the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It is a required (not addressable) implementation specification. Every covered entity and every business associate that touches ePHI must conduct one, document it, and update it periodically.

Key takeaways

  • It is a legal requirement, not a checklist. 45 CFR 164.308(a)(1)(ii)(A) makes the risk analysis a required implementation spec; there is no official HIPAA certification and no pass/fail exam — you produce internal evidence of due diligence.
  • Risk analysis and risk management are two distinct required specs. The analysis (a)(1)(ii)(A) rates risk; risk management (a)(1)(ii)(B) reduces it. Conflating them is the most common conceptual error OCR sees.
  • OCR defines nine elements; competitors sell them as six steps. We map both. Score each risk as Likelihood × Impact on a 1–5 scale (15–25 High, 8–14 Medium, 1–7 Low), grounded in NIST SP 800-30 Rev. 1 and NIST SP 800-66r2.
  • Documentation must be kept for six years (45 CFR 164.316) and reviewed on material change. The 2025 Security Rule NPRM (published Jan 6, 2025) would make the written analysis, asset inventory, and network map explicit — but it is proposed, not final as of publication.

Risk analysis vs. risk management vs. gap assessment

The words people use interchangeably are three different things under the Security Rule, and OCR settlements repeatedly turn on the confusion. A HIPAA risk analysis identifies and rates the risks to ePHI. Risk management is the separate, also-required step of actually reducing those risks. A gap assessment is a useful internal exercise — but it is not what the regulation names, and on its own it does not satisfy the standard.

Three terms people conflate — and what each one is
TermRegulatory citationWhat it answersOutput artifactCommon misconception
Risk analysis (risk assessment)45 CFR 164.308(a)(1)(ii)(A) — RequiredWhat are the risks and vulnerabilities to the confidentiality, integrity, and availability of our ePHI, and how serious is each?Documented risk register with rated risks“A pen test or SOC 2 report covers it.” It does not.
Risk management45 CFR 164.308(a)(1)(ii)(B) — RequiredWhat security measures will reduce those risks to a reasonable and appropriate level, by when, and who owns them?Remediation / corrective action plan“It’s the same thing as the analysis.” It is a distinct required spec.
Gap assessmentNot a regulatory term (informal readiness step)Where do our current safeguards fall short of the Security Rule standards?Gap list / readiness report“A gap assessment is the risk analysis.” It informs, but does not replace, the analysis.

OCR’s own Guidance on Risk Analysis is explicit that the analysis (a)(1)(ii)(A) and risk management (a)(1)(ii)(B) are separate requirements. Getting the vocabulary right in your documentation matters, because auditors and OCR investigators look for both artifacts by name.

Is a HIPAA risk assessment legally required?

Yes — unambiguously. The risk analysis sits inside the Security Management Process standard at 45 CFR 164.308(a)(1)(i), and it is one of that standard’s required implementation specifications. Unlike addressable specs (where you may implement an equivalent alternative and document why), a required spec must be performed. The general requirements at 45 CFR 164.306(a) frame the whole obligation: protect the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit.

Three points founders and compliance leads consistently get wrong:

  • There is no “HIPAA certification.” HHS does not certify or endorse compliance. You conduct the analysis yourself (optionally with a CPA or security firm), and it produces internal evidence — not a certificate. Any vendor selling a “HIPAA certified” badge is describing their own attestation, not a government seal.
  • Business associates are directly liable. Since the 2013 Omnibus Rule, business associates — SaaS, cloud, and IT vendors that create, receive, maintain, or transmit ePHI — must conduct their own risk analysis, independent of their covered-entity customers, and sign a business associate agreement (BAA).
  • It is not a one-time deliverable. Under 45 CFR 164.316, Security Rule documentation must be retained for six years from creation or last effective date, and the analysis must be reviewed and updated periodically and in response to environmental or operational change.

The nine required elements of a compliant risk analysis

The regulation says conduct an accurate and thorough assessment but does not prescribe a methodology. OCR’s 2010 Guidance on Risk Analysis Requirements fills that gap with nine elements every compliant analysis must contain. That guidance is 16 years old but remains operative; the current implementation companion is NIST SP 800-66 Revision 2 (Feb 2024), which maps each Security Rule spec to NIST CSF subcategories and SP 800-53r5 controls.

OCR’s nine required elements of a risk analysis
#ElementSourceWhat auditors look forExample evidence
1Scope of the analysis (all ePHI)OCR Guidance; 164.306(a)Every system, medium, and location holding ePHI is in scope — not just the EHRScope statement, system boundary diagram
2Data collection (where ePHI is created, received, maintained, transmitted)OCR GuidanceA complete ePHI asset inventory and data-flow mapAsset inventory, data-flow diagram
3Identify and document threats and vulnerabilitiesOCR Guidance; NIST 800-30r1Adversarial, accidental, structural, and environmental threats paired to real vulnerabilitiesThreat/vulnerability catalog
4Assess current security measuresOCR Guidance; 164.308–312Existing administrative, physical, and technical safeguards documented per riskControl descriptions, configs
5Determine likelihood of threat occurrenceOCR Guidance; NIST 800-30r1A defined, repeatable likelihood scaleLikelihood rating with rationale
6Determine potential impactOCR Guidance; NIST 800-30r1Impact rated against C-I-A of ePHIImpact rating with rationale
7Determine the level of riskOCR Guidance; NIST 800-30r1Likelihood × Impact producing a prioritized risk ratingRisk register with scores
8Document the analysisOCR Guidance; 164.316(b)A written, retained record — six-year retentionSigned risk analysis report
9Periodic review and updateOCR Guidance; 164.306(e), 164.316Evidence of refresh on material change and at least annually in practiceVersion history, review log

How to conduct a HIPAA risk assessment — six practical steps

OCR describes nine elements; in practice they group into six steps. We reconcile both here so your documentation maps cleanly to the guidance while your project plan stays workable. Steps 8 (document) and 9 (review) are continuous and run through every step below.

Step 1 — Define scope and build the ePHI asset inventory & data-flow map

(OCR elements 1–2.) Start by listing every place ePHI is created, received, maintained, or transmitted: production databases, backups, log stores, email, ticketing systems, laptops, mobile devices, SaaS subprocessors, and cloud object storage. Draw a data-flow map showing how ePHI moves between them and across trust boundaries. Scope errors are the most expensive mistake — a missed S3 bucket or an unmanaged laptop is exactly where breaches originate. The 2025 NPRM would make a written asset inventory and network map explicit, so building them now is future-proofing, not busywork.

Step 2 — Identify threats and vulnerabilities to ePHI

(OCR element 3.) Use the NIST SP 800-30 Rev. 1 threat-source taxonomy — adversarial (external attackers, malicious insiders), accidental (user error, misconfiguration), structural (equipment or software failure), and environmental (power loss, natural disaster). Pair each threat source with the vulnerabilities it could exploit: an unencrypted laptop (vulnerability) exposed to theft (adversarial threat); a misconfigured storage bucket exposed to internet scanning; a phishing email leading to EHR credential theft.

Step 3 — Document current security measures

(OCR element 4.) For each threat/vulnerability pair, record the safeguards already in place across all three HIPAA safeguard categories — administrative, physical, and technical. This is the point where a HIPAA technical safeguards checklist is useful: this page is the assessment (identifying and rating risk), while that page covers the control implementation that reduces it.

HIPAA safeguard categories mapped to risk-treatment controls
Safeguard typeExample standard & 45 CFR §Representative controlNIST 800-66r2 / 800-53r5 mappingCurrent status (NPRM change)
AdministrativeSecurity Management Process, 164.308(a)(1)Risk analysis & risk management800-53r5 RA-3, PM-9Required (NPRM adds written specificity)
AdministrativeWorkforce security & access management, 164.308(a)(3)–(4)Least-privilege access reviews800-53r5 AC-2, AC-6Mix of required/addressable today
PhysicalFacility access & device controls, 164.310(a)–(d)Media disposal, device tracking800-53r5 PE-3, MP-6Mix of required/addressable today
TechnicalAccess & transmission security, 164.312(a),(e)Encryption of ePHI at rest and in transit800-53r5 SC-8, SC-28Addressable today; NPRM proposes to make encryption required
TechnicalPerson or entity authentication, 164.312(d)Multi-factor authentication800-53r5 IA-2Not explicitly named today; NPRM proposes mandatory MFA

Step 4 — Rate likelihood and impact

(OCR elements 5–6.) Using a defined scale (see the scoring model below), rate how likely each threat is to exploit each vulnerability, and how severe the impact on the confidentiality, integrity, or availability of ePHI would be if it did. Rate residual likelihood and impact — that is, with your current controls from Step 3 already accounted for.

Step 5 — Determine and prioritize the level of risk

(OCR element 7.) Combine likelihood and impact into a single risk rating and sort. High-likelihood, high-impact risks to ePHI go to the top of the remediation queue. The output of this step is your risk register.

Step 6 — Document, treat, and review

(OCR elements 8–9, plus the handoff to risk management.) Write the analysis up, retain it for six years, feed the rated risks into your risk-management plan (Step below), and schedule the review cadence. Auditsuisse follows this exact sequence — see our audit methodology for how we run it.

The scoring model — likelihood × impact

HIPAA does not mandate a scoring formula, so a defensible analysis borrows one from NIST SP 800-30 Rev. 1 (the canonical guide for conducting risk assessments) and NIST SP 800-66r2. The workhorse is a qualitative Likelihood × Impact matrix. A 3×3 matrix is the simplest defensible version; a 5×5 gives more granularity and is what most compliance platforms use. On a 1–5 scale, Risk = Likelihood × Impact, producing a 1–25 score with common bands of 15–25 High, 8–14 Medium, 1–7 Low.

Likelihood and impact scales (1–5), defined against ePHI
LevelLikelihood definitionImpact definition (to C-I-A of ePHI)
1 — Very LowHighly unlikely; strong controls, no known pathNegligible effect; no ePHI exposure
2 — LowUnlikely but conceivableLimited exposure of a small ePHI set
3 — ModerateReasonably possible over the periodMeaningful ePHI exposure; possible reportable event
4 — HighLikely; known weakness, active threatLarge ePHI exposure; likely 500+ record breach
5 — Very HighNear-certain; already occurring or trivially exploitableCatastrophic loss of confidentiality, integrity, or availability
5×5 risk matrix — resulting rating (Likelihood × Impact)
Likelihood ↓ / Impact →12345
55 Low10 Med15 High20 High25 High
44 Low8 Med12 Med16 High20 High
33 Low6 Low9 Med12 Med15 High
22 Low4 Low6 Low8 Med10 Med
11 Low2 Low3 Low4 Low5 Low

Whatever scale you choose, the two rules that matter are: define each level in writing (so ratings are repeatable), and rate residual risk after existing controls. The exact numeric bands are a business decision — document yours in the analysis so an auditor sees the method, not just the result.

Sample HIPAA risk register (worked example)

A risk register is the primary output artifact of the analysis. Below is a worked example using the 1–5 × 1–5 model above, mapping each risk to a 45 CFR safeguard and a treatment decision (accept, mitigate, transfer, or avoid). Walk one row end-to-end: R-002 — a developer laptop (asset) holding a local ePHI export (vulnerability) is exposed to theft (adversarial threat); the only existing control is a screen lock; likelihood 4, impact 5 → score 20 (High); treatment is to mitigate via full-disk encryption and remove local exports, mapped to 45 CFR 164.312(a)(2)(iv), owned by the CISO with a near-term target date.

Sample HIPAA risk register — illustrative worked example
Risk IDAsset / ePHI systemThreatVulnerabilityExisting controlLIScoreTreatmentOwner (role)Mapped safeguard
R-001Cloud object storage (S3)Adversarial (internet scan)Misconfigured public bucketManual config review4520 HighMitigate (block public access, IaC guardrails)Head of Infra164.312(a)(1)
R-002Developer laptopAdversarial (theft)Unencrypted local ePHI exportScreen lock4520 HighMitigate (full-disk encryption, no local exports)CISO164.312(a)(2)(iv)
R-003Production EHR appAdversarial (phishing)Credential theft, no MFA on adminPassword policy4416 HighMitigate (enforce MFA)IT Manager164.312(d)
R-004Backup storeStructural (failure)Untested restore processNightly backups3412 MedMitigate (quarterly restore tests)SRE Lead164.308(a)(7)
R-005SaaS subprocessorAccidental (vendor breach)No signed BAAVendor questionnaire3412 MedTransfer/mitigate (execute BAA, reassess)Compliance Lead164.308(b)(1)
R-006Application logsAccidental (over-logging)ePHI written to logsLog retention policy339 MedMitigate (PII/PHI scrubbing)Eng Lead164.312(b)
R-007Office workstationsEnvironmental (power loss)No UPS on on-prem serverCloud-first architecture236 LowAccept (documented rationale)IT Manager164.310(a)(2)(i)

Auditsuisse provides clients a working risk-register template as part of an engagement; you can also reproduce the structure above in any spreadsheet. To reuse the same rows across frameworks, see how to map HIPAA controls to SOC 2 and GDPR.

From analysis to risk management: the remediation plan

The risk analysis is only half the requirement. 45 CFR 164.308(a)(1)(ii)(B) — risk management — requires you to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” In practice, this is your remediation plan: each High and Medium risk from the register gets a treatment decision, an owner, a target date, and a mapped safeguard. “Reasonable and appropriate” is scaled to your size, complexity, and capabilities — a two-person startup and a hospital system are held to the same standard but not the same controls.

Document your treatment rationale, especially for accepted risks. If you accept a Low risk rather than mitigate it, write down why — that documented decision is itself evidence of due diligence. Re-run the loop on material change: a new subprocessor, a merger, a new ePHI data flow, or a security incident all trigger a refresh of the affected rows.

What OCR looks for — enforcement and the cost of skipping the SRA

The absence of an accurate, thorough risk analysis is among the most commonly cited deficiencies in OCR resolution agreements. Several of the largest HIPAA settlements name it explicitly — for example, the Anthem settlement ($16 million, 2018), Premera Blue Cross ($6.85 million, 2020), and Excellus Health Plan ($5.1 million, 2021) all cited failures tied to risk analysis and risk management among other findings. These are published on the OCR resolution-agreements page.

Enforcement typically begins with a breach. Under the Breach Notification Rule (45 CFR 164.400–414), breaches affecting 500 or more individuals must be reported to HHS without unreasonable delay and no later than 60 days, and are posted publicly on the OCR breach portal — which is frequently where an investigation starts. For the breach-handling side, see our guide to HIPAA incident response and breach notification requirements.

Civil money penalties are tiered by culpability under 42 USC 1320d-5 and 45 CFR 160.404, and the dollar figures are inflation-adjusted every January under 45 CFR 102.3. Because they change annually, always confirm the current amounts against the latest Federal Register notice before relying on them.

HIPAA civil money penalty tiers (amounts effective Jan 28, 2026; re-verify against current 45 CFR 102.3)
TierCulpability standardPer-violation minimumAnnual cap per identical provision
1Did not know (and would not have known with reasonable diligence)$145$2,190,294
2Reasonable cause, not willful neglectHigher tier minimum (per current 45 CFR 102.3)$2,190,294
3Willful neglect — corrected within 30 daysHigher tier minimum (per current 45 CFR 102.3)$2,190,294
4Willful neglect — not correctedHighest tier minimum (per current 45 CFR 102.3)$2,190,294

The figures above reflect the January 28, 2026 inflation adjustment (per-violation minimum $145; annual cap $2,190,294 per identical provision). Tier maximums must be pulled fresh from the current 45 CFR 102.3, because they are re-indexed each January and the older “$100–$50,000 / $1.5M” figures you may see elsewhere are the pre-inflation statutory floor and ceiling.

What is changing in 2026 — the HIPAA Security Rule NPRM

On January 6, 2025, OCR published a Notice of Proposed Rulemaking (NPRM) to modernize the Security Rule (90 FR 898, RIN 0945-AA22). The comment period closed March 7, 2025, and OCR received over 4,700 comments. As of this article’s publication, the rule is proposed — not final — and no final rule has been issued. Confirm current status at reginfo.gov (RIN 0945-AA22) and the HHS NPRM page before making commitments based on it. Every provision below is proposed, not current law.

2025 HIPAA Security Rule NPRM — proposed changes affecting your risk analysis
Today (current rule)Proposed change (NPRM)Practical impact on your SRAStatus
Specs split into “required” and “addressable”Remove the distinction; make (nearly) all specs requiredFewer “we chose an alternative” rationales; more mandatory controlsProposed, not final
No explicit asset inventory / network map mandateRequire a written technology asset inventory and network map, updated at least annually and on material changeFormalizes Step 1 of the analysis as a standing artifactProposed, not final
Risk analysis method largely unspecifiedRequire the analysis to be written with enumerated required contentRaises the documentation bar for the register and methodProposed, not final
Encryption is addressableExpressly require encryption of ePHI at rest and in transitRemoves the “addressable” escape hatch for encryptionProposed, not final
MFA / anti-malware not explicitly namedExpressly require MFA, anti-malware, and network port controlsNamed technical safeguards you should already be scoring todayProposed, not final

How to prepare without over-committing: build the written asset inventory and network map now, treat encryption and MFA as if required (most enterprise buyers already do), and keep your risk analysis written and versioned. None of that is wasted effort if the rule changes shape in finalization.

Tools and shortcuts — the SRA Tool, SOC 2, and pen testing

HHS and ONC offer a free downloadable Security Risk Assessment (SRA) Tool at HealthIT.gov. It walks you through a structured, multi-section questionnaire and is a reasonable starting point — but it is designed with smaller organizations in mind, and using it does not by itself produce a compliant analysis. For a SaaS business associate with cloud infrastructure, multiple subprocessors, and a real threat surface, the tool’s questionnaire rarely captures the asset inventory, data-flow mapping, and residual-risk scoring depth that a defensible analysis requires.

Three adjacent activities are frequently mistaken for the risk analysis. They are inputs, not substitutes:

  • A SOC 2 report examines controls against the Trust Services Criteria — overlapping but not identical scope. It does not assess risks to ePHI specifically, and it is not documented as a HIPAA risk analysis. If your buyers ask for both, plan a SOC 2 audit alongside, not instead of, the SRA.
  • A penetration test surfaces technical vulnerabilities only. It feeds Step 2 of the analysis but ignores administrative and physical safeguards entirely. Treat penetration testing as one threat-identification input.
  • HITRUST CSF can be mapped to the Security Rule and reduce duplicate effort, but certification against HITRUST is not the same as performing and documenting the 164.308(a)(1)(ii)(A) analysis.

HIPAA risk assessment checklist

  • Scope covers all ePHI — every system, device, medium, and subprocessor (elements 1–2).
  • ePHI asset inventory and data-flow / network map are written down.
  • Threats catalogued across adversarial, accidental, structural, and environmental sources (element 3).
  • Existing administrative, physical, and technical safeguards documented per risk (element 4).
  • Likelihood and impact rated on a defined, written scale; residual risk scored (elements 5–7).
  • Risk register produced and prioritized High → Low.
  • Risk-management / remediation plan created with owners and target dates (164.308(a)(1)(ii)(B)).
  • Analysis written, signed, and retained for six years (164.316).
  • Review cadence set; refresh triggered on material change (element 9).
  • BAAs in place with every subprocessor that touches ePHI.

Frequently asked questions

What is a HIPAA risk assessment, and what does the regulation require?

A HIPAA risk assessment — formally the “risk analysis” required by 45 CFR 164.308(a)(1)(ii)(A) — is an accurate, thorough evaluation of the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It is a required, documented, and periodically updated implementation specification, not an optional checklist.

What is the difference between HIPAA risk analysis and risk management?

Risk analysis (45 CFR 164.308(a)(1)(ii)(A)) identifies and rates threats, vulnerabilities, and risk levels to ePHI. Risk management (164.308(a)(1)(ii)(B)) implements security measures sufficient to reduce those risks to a reasonable and appropriate level. Both are required: the analysis produces the risk register, and risk management produces the remediation plan.

How do you conduct a HIPAA risk assessment, step by step?

Follow OCR’s nine elements: (1) define scope (all ePHI), (2) inventory where ePHI is created, received, maintained, and transmitted, (3) identify threats and vulnerabilities, (4) assess current security measures, (5) rate likelihood, (6) rate impact, (7) determine risk level (likelihood × impact), (8) document findings, and (9) review and update periodically. These group into six practical steps.

How is HIPAA risk scored?

HIPAA risk is scored by combining likelihood and impact on qualitative scales using a matrix drawn from NIST SP 800-30 Rev. 1 and NIST SP 800-66r2. On a 1–5 × 1–5 scale, Risk = Likelihood × Impact, with common bands of 15–25 High, 8–14 Medium, and 1–7 Low. High-likelihood, high-impact risks to ePHI are remediated first.

How often must a HIPAA risk assessment be done?

There is no fixed interval, but HIPAA requires the risk analysis be reviewed and updated periodically and whenever there is a material change — new systems, mergers, incidents, or new ePHI flows. Most organizations perform a full assessment annually, and documentation must be retained for six years under 45 CFR 164.316.

Does a SOC 2 report or penetration test satisfy the HIPAA risk analysis requirement?

No. A SOC 2 report and a penetration test are useful inputs but do not satisfy 45 CFR 164.308(a)(1)(ii)(A). The HIPAA risk analysis must specifically assess risks to ePHI across all systems and be documented as its own artifact. A pen test covers technical vulnerabilities only, not the full administrative, physical, and technical scope.

Is there an official HIPAA certification for passing a risk assessment?

No. HHS does not certify or endorse HIPAA compliance, and there is no official HIPAA certification. The risk analysis is self-conducted (optionally with a third-party firm) and produces internal evidence of due diligence. Failing to have performed one is among the most frequently cited deficiencies in OCR enforcement actions.

Do business associates and SaaS vendors need a HIPAA risk assessment?

Yes. Since the 2013 Omnibus Rule, business associates — including SaaS, cloud, and IT vendors that create, receive, maintain, or transmit ePHI — are directly liable under the Security Rule and must conduct their own risk analysis under 45 CFR 164.308(a)(1)(ii)(A), independent of their covered-entity customers, and sign a business associate agreement (BAA).

Glossary of key terms

  • ePHI — electronic protected health information; individually identifiable health information created, received, maintained, or transmitted in electronic form.
  • Risk analysis — the required assessment (45 CFR 164.308(a)(1)(ii)(A)) that identifies and rates risks to ePHI.
  • Risk management — the required activity (164.308(a)(1)(ii)(B)) of implementing measures to reduce identified risks.
  • Likelihood — the probability that a threat exploits a vulnerability, rated on a defined scale.
  • Impact — the severity of harm to the confidentiality, integrity, or availability of ePHI if a risk is realized.
  • Addressable vs. required — current implementation-spec categories under 45 CFR 164.306(d); the 2025 NPRM proposes to remove the distinction.
  • Business associate — a vendor that handles ePHI on behalf of a covered entity; directly liable under the Security Rule and bound by a BAA.

Sources & further reading

  1. eCFR — 45 CFR 164.308 (Administrative safeguards; risk analysis and risk management).
  2. HHS Office for Civil Rights — Guidance on Risk Analysis Requirements under the HIPAA Security Rule.
  3. NIST — SP 800-66 Revision 2, Implementing the HIPAA Security Rule, and SP 800-30 Rev. 1, Guide for Conducting Risk Assessments.
  4. Federal Register — HIPAA Security Rule NPRM, 90 FR 898 (Jan 6, 2025), RIN 0945-AA22.
Sébastien Ruosch Reviewed by Sébastien Ruosch, CPA (US & Swiss licensed), Director of Audits at Auditsuisse. Last reviewed July 1, 2026.

Need a defensible HIPAA risk analysis?

Auditsuisse is a US & Swiss licensed CPA firm. We conduct the risk analysis the way OCR expects — scoped to all your ePHI, scored on a defined model, and documented to survive an investigation. See our HIPAA compliance audit services or book a call.

Request Consultation
Back to top ↑