Table of Contents
If you manage a healthcare practice, you’ve probably heard “HIPAA risk assessment” mentioned more times than you can count. But knowing you need one and actually understanding what goes into it are two completely different things.
Here’s what matters: a real HIPAA risk assessment isn’t paperwork for the sake of paperwork. It’s your chance to find the security gaps before they turn into a breach, a complaint, or a conversation with federal regulators. That’s the difference between hoping everything’s fine and actually knowing it is.
This guide covers what the law expects, how to actually do this without overthinking it, and the things that trip up most practices. Whether you’re doing this for the first time or fixing something that’s been sitting around for a year, you’ll find practical guidance here.
Key Takeaways
- It’s required. HIPAA law (45 CFR § 164.308(a)(1)) says you have to do this. It’s not optional.
- One time doesn’t cut it. You need to revisit the assessment whenever something changes—new software, new vendors, staffing changes, security incidents.
- Everyone needs one. Covered entities (hospitals, practices, clinics) and business associates (vendors, IT providers) both have to do this.
- The fines are serious. HHS OCR can fine you up to $1.9 million per violation category per year. That matters.
- You need documentation. A conversation about security isn’t enough. You need written proof of what you looked at and what you’re doing about it.
- Digacore can help. If you’re in New Jersey or the NYC area, Digacore works with practices to build assessments that actually stand up to scrutiny.
What A HIPAA Risk Assessment Actually Is
At its core, a HIPAA risk assessment is a documented review of where your patient data might be at risk—specifically, risks to how confidential it stays, whether it’s accurate, and whether you can access it when you need it. You map out where ePHI (electronic protected health information) lives, what could damage it, how likely that damage is, and what needs to be fixed.
Simple concept. But it’s different from a general security review. A typical IT security check might flag old software or missing backups. A HIPAA risk assessment specifically focuses on patient data—how it’s created, stored, shared, and protected.
Who Has to Complete One?
If you work with patient data, you’re covered.
Covered entities are the obvious ones: medical practices, dental offices, therapists, behavioral health clinics, and hospitals. If you bill patients, keep records, or provide care, you’re in this group.
Business associates are everyone else who touches patient information. Billing companies, IT service providers, cloud platforms, EHR vendors, anyone processing or storing ePHI on your behalf.
And here’s the thing that catches people: size doesn’t exempt you. A solo dentist has the same legal obligation as a hospital network. A one-person billing company still needs to document the process. HIPAA doesn’t make exceptions for small operations.
Risk Assessment vs. Compliance Audit—What’s Actually Different?
These get mixed up constantly, but they’re answering different questions.
A risk assessment asks: “Where are we exposed?” A compliance audit asks: “Did we follow the rules?”
| What we’re looking at | Risk Assessment | Compliance Audit |
| The purpose | Finding actual threats and weak spots | Checking if you followed policies |
| What you get out of it | A prioritized list of risks | A report on where you messed up compliance |
| When you do it | Constantly—whenever things change | Usually once a year or after something happens |
| Why it matters | It stops problems before they start | It proves you were trying to follow the rules |
You need both, honestly. But mix them up and you end up with a filing cabinet full of documents that don’t tell you anything useful.
Why HIPAA Risk Assessment Isn’t Optional—it’s The Law
This isn’t a suggestion. It’s not a best practice. It’s a federal requirement.
The HIPAA Security Rule is clear on this: 45 CFR § 164.308(a)(1)(ii)(A) says you have to conduct an accurate and thorough risk analysis. That means finding the vulnerabilities and threats to your patient data, then bringing the risk down to reasonable levels. The law isn’t vague about it.
Why does this matter to regulators? Because the HHS Office for Civil Rights (OCR) actively audits for this. A missing or weak risk assessment shows up as one of the top findings every single year. And when they find it missing, penalties follow.
In 2024 alone, OCR closed cases where the main violation was a missing risk analysis. The fines ranged from tens of thousands to over a million dollars. This isn’t about being sloppy—this is about skipping a required step altogether.
The reality is simple: organizations that can show a solid, documented assessment do much better when OCR comes knocking. Organizations that can’t show one? They’re in trouble.
What Happens if You Skip It
The immediate risk is obvious. If your email, remote access, or vendor setups have security holes, you won’t know about them until after a breach happens.
But the bigger problem comes after. OCR investigations lead to corrective action plans, years of regulatory oversight, and significant fines. And if your documentation is weak, your defense falls apart. It’s nearly impossible to convince regulators you cared about HIPAA if you can’t show what you actually reviewed or what you did about it.
Why Putting It in Writing Matters
A conversation about security isn’t proof. You need written records showing what systems you looked at, what patient data you found, what threats you considered, what controls were already in place, how you rated each risk, and what you decided to tackle first.
Think about it this way: if your risk assessment only exists in someone’s head, it doesn’t survive an audit. Write it down, date it, and keep it.
What Your HIPAA Risk Assessment Needs To Cover
HHS has detailed guidance on what this looks like. These nine elements are what separates a real assessment from a checkbox exercise.
- Define your scope. What systems, locations, devices, and people are you including in this review? A small practice might scope it to the EHR, email, office computers, and cloud backups. A bigger operation might add remote access, mobile devices, and third-party integrations. Be specific about what’s in and what’s out.
- Inventory where ePHI actually lives. Where does patient data get created, received, stored, kept, or sent? That’s your EHR, email, file servers, cloud apps, backups, mobile devices, scanners, fax machines—anything that touches a patient record.
- List threats and vulnerabilities. What could actually go wrong? Phishing emails, stolen devices, weak passwords, misconfigured cloud tools, unpatched software, people making mistakes, vendors with too much access. Write down the realistic threats in your environment.
- Look at your existing safeguards. What’s already protecting the data? Administrative safeguards like policies and training. Physical safeguards like locked rooms and badge access. Technical safeguards like encryption, multi-factor authentication, and backups. Write down what actually exists.
- Rate how likely each threat is. Not every risk happens at the same rate. Phishing emails come in constantly. Stolen laptops happen occasionally. But they both matter. Rate likelihood based on your actual environment, not worst-case scenarios.
- Estimate the damage if it happens. If patient data got exposed, how bad would it be? Would people get hurt? Would you trigger breach notification requirements? Would it tank your reputation? Impact ranges from minor to catastrophic.
- Assign an overall risk level. This is how you prioritize. Something unlikely but devastating might rank higher than something frequent but minor. The math is simple (likelihood × impact), but use judgment.
- Document everything. Write down what you looked at, what you found, what controls existed, how you rated each risk, and what you’re fixing first. If it’s not written down, regulators assume it didn’t happen.
- Plan for periodic reviews. Set a schedule to look at this again—at least annually, sooner if something major changes. Risk isn’t static. Your assessment shouldn’t be either.
How To Conduct A HIPAA Security Risk Assessment: Step-by-step
Picture a small dental practice in Paterson, NJ. Three front-desk computers, a cloud-based EHR, email for appointment reminders, a networked scanner that shoots PDFs to email, a mobile phone for work texts, and a billing vendor that accesses the system remotely. Nothing exotic. But patient data moves through way more places than the office manager realizes at first.
That’s exactly why you need structure here. You can’t wing it. The good news is that HHS has laid out a clear framework for how to do this. Here’s how to walk through it methodically.
Step 1: Define the Scope
Start by drawing a clear line around what you’re reviewing. Are you assessing the whole practice or just the clinical side? Do you include people working from home? What about contractors?
Be specific. Saying “everything” is too vague and creates problems later. Saying “EHR, email, office computers, and cloud backups used by full-time staff” is clear. That documentation proves you thought this through.
Step 2: Inventory Your ePHI
Now list every system, device, and place where patient data exists. It’s boring work, but it’s essential.
For the Paterson practice: the EHR system, three front-desk computers, email (Gmail or Outlook), the networked scanner, work mobile phones, cloud storage, the billing vendor’s portal, backups. Don’t skip anything because it seems obvious or unimportant.
Step 3: Identify Threats and Vulnerabilities
What could realistically expose this data in your practice? Don’t imagine doomsday scenarios—think about what actually happens.
In the dental example: phishing emails getting through to staff, a laptop left in an unlocked car, an old admin password still in circulation, the billing vendor having more access than they should, backups that aren’t encrypted, passwords that are too simple, and someone emailing records to their personal email address.
Write these down. Be honest about what could actually happen at your practice.
Step 4: Evaluate Existing Controls
What’s already protecting the data? Don’t assume nothing exists. Most practices have some safeguards, even if they’re informal or incomplete.
Ask yourself: Do you have password requirements? MFA on important systems? Locked server rooms? Encrypted computers? Access logs? Staff training? Plans for when something goes wrong? Vendor agreements that spell out security requirements?
List what’s actually in place, not what you wish existed.
Step 5: Assign Risk Levels (Likelihood × Impact)
For each threat, estimate how likely it is and how bad it would be if it actually happened.
A phishing email is very likely (staff get them constantly) but medium damage (if it doesn’t work, nothing happens). A stolen unencrypted laptop is less likely (but possible) but serious damage (patient data is exposed immediately). A vendor with excessive access is low likelihood (assuming they’re trustworthy) but critical damage (they could access everything).
Rate each threat. High/medium/low is fine. The goal is to separate what needs immediate attention from what can wait.
Step 6: Document Everything
This isn’t negotiable. Write down what you reviewed, what risks you found, what controls existed, how you rated each threat, and what you decided to tackle first.
Save it with a date. If someone asks later “Did you do this assessment?” you have proof. If OCR shows up, you have documentation. If you need to show you took this seriously, the paper trail does the talking.
Step 7: Implement a Risk Management Plan
This is where most assessments stop. And this is where they should actually start. Create a written plan for what gets fixed, who owns it, and when it happens.
For the dental practice, it might look like:
- Turn on MFA for the EHR and email (IT lead, 30 days)
- Encrypt all computers (practice manager, 45 days)
- Update vendor access agreement to limit permissions (office manager, 60 days)
- Run security training for staff (compliance, quarterly)
Assign owners. Set deadlines. Follow up on progress.
Step 8: Review and Repeat
Put an annual review on the calendar. But don’t wait a full year if something major happens—new software, a new vendor, staff changes, or any security incident should trigger a fresh look.
Risk doesn’t stay frozen. Your assessment shouldn’t either.
How Often Do You Actually Need To Do HIPAA Assessment?
HIPAA doesn’t say “do this every year and you’re good.” That’s the first misconception to clear up. But it also doesn’t say “do this whenever you feel like it.”
The law expects you to review and update based on actual changes in your business and your risks. HHS’s guidance makes it clear: you’re responsible for keeping this current as your systems, staff, and operations change.
Annual review is a reasonable baseline. It gives you a schedule, a calendar reminder, and a chance to step back and look at the whole picture. But waiting a full year after a major change defeats the purpose. That’s where most practices get stuck—they do the annual checkbox and miss the actual trigger points in between.
What Counts as a Significant Change
Some situations demand a fresh assessment sooner:
- New EHR or practice management system. This is a big one. You’re introducing new technology, new vendors, new access patterns. Reassess.
- Cloud migration or switching billing systems. Moving data to the cloud or switching platforms changes your risk profile and your available controls. Review it.
- Merger, acquisition, or opening a new location. You’re integrating new staff, new systems, new workflows. Always a reason to reassess.
- New software that touches patient data. Text messaging platforms, fax services, file-sharing apps, patient portals. If it’s new and it touches ePHI, include it.
- Major staffing changes. New IT person, new office manager, new remote work arrangement. Your team is part of your risk picture.
- Any security incident, even a small one. A phishing email that succeeded, a lost laptop, a vendor misconfiguration. Use it as a learning moment and a trigger to reassess.
Why Annual Plus Triggered Makes Sense
Think of it like this: an annual review is maintenance. A triggered assessment is emergency maintenance.
You pick a date on the calendar for your annual review. But you also stay alert. When something material changes, you don’t wait. You pull the assessment, update it, and make sure your controls still work.
This protects you because it shows regulators you’re actually paying attention, not just checking boxes. It also catches problems faster. If you move to a new cloud platform in March but wait until December to reassess, you’ve spent nine months potentially exposed to risks you never evaluated.
Mistakes That Show Up Over And Over
Small and mid-sized healthcare teams don’t usually fail at this because they don’t care. They fail because the review is too narrow, too generic, or so lightly documented that it doesn’t hold up. Here are the patterns that keep happening.
Treating It Like a Finished Project
Complete it once and you’re done? No. Risk changes. Technology changes. An assessment from a year ago can be outdated after one software update or new vendor.
Fix: Stop thinking of this as a project with a finish line. Treat it as an ongoing process. Annual review is good. Reassess whenever something material changes.
No Written Documentation
A conversation about security doesn’t prove anything. OCR needs written evidence: what you reviewed, what risks you found, how you rated them, what you’re fixing.
Fix: Write it down. Date it. File it. Documentation isn’t extra—it’s your defense.
Ignoring Vendor Risks
Billing companies, cloud EHR platforms, and texting services—they all handle patient data. If they get breached, the exposure is yours too.
Fix: Keep track of your vendors. Know what data they access and what your business associate agreement says.
Forgetting About Scanners, Phones, and Email
Teams focus on the EHR and call it done. But patient data also lives in scanners, mobile phones, backups, cloud storage, and archived files.
Fix: Follow an actual patient record through your practice. Where does it go? Who touches it? That real-world workflow shows you what a checklist misses.
Putting the Wrong Person in Charge
Give this to someone who knows compliance rules but not IT—or the reverse—and you’ll have blind spots.
Fix: You need someone (or a team) who understands both HIPAA and your actual systems.
HIPAA Security Risk Assessment Tools: What You Can Use
You don’t need to build an assessment from scratch. There are tools available.
The HHS Free Tool
HHS provides a self-assessment tool specifically for HIPAA. It’s free, covers the basics, and works as a starting point for small practices with simple setups.
The tool walks you through standard questions: What systems do you have? What threats exist? What controls are in place? It generates a report you can save as documentation.
For a five-person dental practice or small billing company, this can be enough to check the box. It’s definitely better than nothing.
Where DIY Tools Fall Short
But here’s where most DIY assessments hit the wall. Generic tools assume a generic practice. They ask broad questions, but your practice isn’t standard.
You might have a specific cloud EHR setup, unique vendor arrangements, remote workers in different states, mobile devices with special permissions. A generic tool will ask about these things in general, but it won’t dig into your situation specifically.
There’s also the depth problem. A checklist can tell you a threat exists. It can’t always tell you how serious it is in your context or what the smartest fix would be.
And there’s documentation. The HHS tool generates a report, but if OCR asks detailed questions about why you rated something a certain way or how you got to your risk scores, a generic report won’t have those answers.
When Outside Help Makes Sense
If your practice is simple and stable, DIY might work. But consider getting help when:
- You don’t have IT or compliance staff. This work takes time and expertise. If you’re doing it on top of your regular job, something gets missed.
- Your operation is complex. Multiple vendors, remote access, cloud systems, mobile devices, integrations. Complexity creates gaps that checklists miss.
- You want a defensible result. If OCR shows up, a documented assessment from a qualified third party carries more weight than an internal checklist. It proves you were serious.
- You need help with the follow-up. A lot of teams finish the assessment and don’t know what to do next. A partner can help you prioritize and track progress.
For practices that want more than a basic checklist, working with a managed IT and compliance partner like Digacore gives you a documented, defensible assessment that holds up under OCR scrutiny. You get a real understanding of your actual risks, realistic timelines for fixes, and ongoing support to address what you find.
How Digacore Approaches HIPAA Assessments In New Jersey
We work with healthcare practices, dental offices, behavioral health providers, and billing companies across New Jersey and the NYC area. Most of our clients are small to mid-sized operations trying to handle compliance while running their actual business.
Here’s what we do: we inventory your ePHI, analyze realistic threats to your systems, score the risk, document everything properly, and build a remediation plan that actually fits your practice.
Not a fancy report that sits in a drawer. A clear picture of where you’re exposed and a realistic plan to fix it.
We’re an Acronis Official Delivery Partner, which means we meet strict standards for security expertise and documentation. That matters when OCR is evaluating your compliance efforts.
What We See in the Field
We’ve worked with small clinics and multi-location practices across New Jersey. The most common thing we hear? “We had no idea our email system was out of scope.” Or “We didn’t realize the billing vendor had that much access.” Or “We thought our mobile devices weren’t part of this.”
That’s exactly the kind of gap a proper assessment is designed to catch. It’s also what separates a real review from box-checking.
What Happens After the Assessment
The assessment is the beginning, not the end. If your systems need upgrades, encryption improvements, or stricter vendor controls, we can help with that. That’s why a lot of our clients also use us for managed IT services for healthcare and cybersecurity services. The assessment identifies the problems. The ongoing partnership fixes them.
FAQs
How much does this cost?
DIY with the HHS free tool costs only your time. A third-party consultant usually runs $1,500 to $10,000+ depending on practice size and complexity.
Does Digacore work with small medical practices?
Yes. Small and mid-size healthcare organizations in New Jersey and the NYC area are who we focus on. Most small practices don’t have a dedicated compliance person—that’s exactly who we built our services for.
What’s the difference between a risk assessment and risk analysis?
They’re the same thing. HHS calls it “risk analysis” in the regulation (45 CFR § 164.308), but “risk assessment” is what the industry says. Both mean identifying threats to ePHI and documenting your response.
Can a HIPAA assessment protect us from a breach fine?
A documented assessment won’t prevent a breach. But it’s the strongest factor in OCR penalty decisions. Organizations with thorough assessments consistently get lower fines or avoid them entirely during investigations.
Conclusion
A HIPAA risk assessment isn’t something you do once and forget about. It’s an ongoing process that protects both your patients’ data and your practice’s future. The requirements are specific, the stakes are real, and you don’t have to figure this out alone.
Whether you’re starting fresh or updating something that’s been sitting around, getting this right matters. We’ve helped healthcare organizations across New Jersey build compliance programs that actually hold up. If you’re ready to get past the worry and actually move forward, reach out for a free assessment or contact us to talk about your specific situation. We’ll walk you through every step—from inventorying your ePHI to final documentation—and build a plan that works for your practice.
