The Health Insurance Portability and Accountability Act (HIPAA) sets the standards for protecting sensitive patient information, and conducting regular risk assessments is a non-negotiable part of compliance.

‍

Although HIPAA outlines what organizations need to evaluate, it deliberately avoids prescribing how these assessments should be performed, which can make the execution process flexible—as well as uncertain.

‍

In a general sense, organizations have the freedom to choose the HIPAA risk assessment method that best suits their operations. Still, the lack of prescriptive guidance can lead to inconsistent processes and potential non-compliance alongside financial penalties.

‍

We’ve created an actionable guide to help you:

‍

• Prepare for and conduct your HIPAA risk assessment
• Learn how to approach the assessments once you’ve achieved HIPAA compliance

‍

What is a HIPAA risk assessment?

According to the HIPAA Security Rule, a risk assessment is the process of identifying and mitigating potential risks and vulnerabilities that may affect the integrity, confidentiality, and availability of protected health information (PHI). The goal is to anticipate threats or hazards to PHI and implement the relevant physical, technical, and administrative safeguards in response. 

‍

Risk analysis or assessment is a mandatory, ongoing aspect of HIPAA compliance, and it must be thorough, accurate, and documented. It doesn’t matter whether your organization is a covered entity or a business associate—the Security Rule requires all organizations that create, maintain, or transmit PHI to conduct risk assessments.

‍

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) can take enforcement actions to ensure in-scope organizations conduct risk assessments under the Security Rule. In a 2024–2025 initiative, the OCR investigated at least seven entities that failed to conduct appropriate risk assessments, particularly for emerging risk vectors like shadow IT and vendor access in digital healthcare ecosystems.

‍

The Breach Notification Rule also emphasizes risk assessments and their role in determining whether an unauthorized use or disclosure of PHI can be classified as a breach. When conducting a risk assessment under this rule, organizations must consider criteria such as:

‍

• The nature of the PHI involved, including types of identifiers and re-identification potential
• Who accessed or received the PHI, and under what circumstances
• The extent to which the risk was mitigated or reduced

‍

Who performs the HIPAA risk assessment?

The OCR doesn’t require a specific person, team, or role to conduct the HIPAA risk assessment. In practice, the organization’s internal IT or compliance team or an external consultant performs the more granular risk assessment tasks. 

‍

That said, the overall oversight responsibility falls on the organization’s dedicated HIPAA compliance officers. These are individuals who are accountable for ensuring that your organization’s policies, procedures, and security controls align with HIPAA.

‍

HIPAA specifies the need for two compliance officers—the privacy officer and the security officer, so either can be in charge of monitoring risk evaluations. In larger organizations, the roles are distinct: the privacy officer is generally the one leading the assessment, with technical input and support from the security officer.

‍

In smaller or resource-constrained settings, a single person often fulfills both roles. It’s usually someone in leadership or operations who is already overseeing risk assessments.

‍

{{cta_withimage13="/cta-blocks"}}  | HIPAA compliance checklist

‍

6 steps for performing a HIPAA risk assessment

Your HIPAA risk assessment approach will depend on your business size, risk appetite, and compliance environment. The following six steps give you a common baseline to follow:

‍

1. Define the scope of PHI
2. Identify and analyze risks
3. Perform a gap analysis
4. Develop and implement mitigation measures
5. Document the process
6. Conduct regular audits

‍

‍

Step 1: Define the scope of PHI

The first step of your HIPAA risk assessment is identifying all assets that interact with PHI and electronic PHI (ePHI). This includes systems, personnel, and physical media that access, maintain, transmit, or store PHI.

‍

HIPAA requires you to be thorough when scoping workflows. Overlooked assets or data flows can lead to gaps in your assessments or force you to revisit the process, which can result in inefficiencies.

‍

The scoping process should account for both internal and external systems. You’ll want to consider vendors with PHI access as well as environmental factors such as natural disasters or power outages—essentially any threat that impacts PHI security and availability. Creating a data flow diagram during the scoping process helps map where ePHI originates and flows, identify connected assets, and gain clearer insights into how the information is used.

‍

The HHS recommends using specific questions from NIST SP 800-66 to guide your scoping activities. Examples include:

‍

• Have you identified the ePHI within your organization? This includes ePHI that you create, receive, maintain, or transmit.
• What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain, or transmit ePHI?
• What are the human, natural, and environmental threats to information systems that contain ePHI?

‍

Tip: If you’re a small healthcare practice or a business associate without a mature compliance infrastructure, the HIPAA Security Risk Assessment (SRA) Tool launched by OCR can help you get started.

‍

Step 2: Identify and evaluate risks

Once you have scoped your PHI and data flows, the next step is identifying the potential risks and vulnerabilities these assets may be exposed to. Potential threats include:

‍

• Unauthorized access due to weak authentication or misconfigured permissions
• Data loss caused by hardware or software failure as well as environmental factors
• Human error due to insufficient training
• Third-party breaches due to limited visibility into vendors’ security practices

‍

A best practice is to use a risk assessment matrix to rank the identified risks based on their likelihood and potential impact on your systems and data subjects. This way, you can get an overview of your risk landscape and prioritize mitigation strategies for the most impactful and likely threats.

‍

The set of processes in this step needs to be repeated at regular intervals because your risk landscape could shift with events like introducing new software or onboarding a new vendor. According to the Vanta HIPAA Violations report, however, only 41% of organizations perform a vendor risk assessment during onboarding, and only 33% carry out annual assessments. This increases the risk of vendors falling out of compliance and undermining an organization’s security.

‍

Step 3: Perform a gap analysis

As part of this step, you’ll compare your existing controls, policies, and procedures against the requirements outlined by HIPAA, especially the Privacy and Security rules. The goal is to identify areas where your existing security measures don’t meet the regulation’s requirements.

‍

A thorough gap analysis can highlight the specific controls you need to adjust or implement, while also demonstrating areas that already meet HIPAA standards. Some of the common workflows in this step include:

‍

• Documenting the Privacy Rule and Security Rule requirements applicable to you
• Validating controls through assurance testing
• Conducting group or role-specific interviews to surface operational security gaps

‍

Ideally, you should evaluate your gap analysis and risk assessment results from the previous step together to better gauge your risk landscape.

‍

Step 4: Develop and implement mitigation measures

Use the results of your gap and risk assessments to prioritize and deploy your remediation plans. You’ll first want to focus on the high-risk areas with the greatest impact, and then address lower-priority risks.

‍

Your mitigation measures can include administrative, technical, and physical safeguards to help secure ePHI under the Security Rule. Some examples include:

‍

• Employee training programs
• Sanction policy
• Unique user IDs
• Automatic logoff
• Locked server rooms
• Video monitoring

‍

The Security Rule categorizes safeguards as either required or addressable. For the former, the official HIPAA documentation doesn’t mandate a specific method of implementation—just asks the safeguards to be implemented. This gives covered entities and business associates some flexibility in how they meet the required safeguards, such as data backup and disaster recovery plans.

‍

Addressable safeguards are more flexible as you only need to implement them if your assessments show they are necessary and appropriate. Examples of addressable safeguards include:

‍

• Testing and revision
• Applications and data criticality analysis

‍

{{cta_withimage39="/cta-blocks"}} | The Healthcare compliance checklist

‍

Step 5: Document the process

Maintaining thorough documentation at every step of your risk assessment is mandatory for HIPAA compliance. You must retain such documentation for at least six years from the date it was created or last updated.

‍

Beyond compliance, a transparent documentation flow can help your organization in the long run. For instance, clear records can serve as roadmaps that streamline future risk assessments. They can also help you demonstrate compliance during OCR audits or investigations.

‍

Another crucial aspect is the availability of documentation—the staff that executes a particular policy or procedure must have access to the relevant documentation at all times.

‍

To make extensive documentation workflows manageable, especially for smaller or busy teams, consider using modern compliance automation tools instead of manual tracking through spreadsheets.

‍

Step 6: Conduct regular audits

According to the HHS, risk assessments should be frequent to ensure ongoing HIPAA compliance. The Security Rule further reinforces this by requiring organizations to reevaluate and update their mitigation measures as needed, especially in response to internal or regulatory changes.

‍

“

Reviewing and updating your risk assessment annually has long been best practice, but as your business grows and moves upstream, it becomes even more critical to refine it regularly. Your risk profile has to evolve as your operations do.”

Markindey Sineus

GRC Subject Matter Expert, GTM, Vanta

|

LinkedIn

‍

While HIPAA explicitly requires regular audits and updates, it doesn’t specify a cadence. You can determine what works for you based on the complexity of your operations or risk profile.

‍

One way to stay on top of compliance is to continuously monitor your existing risks and controls. This gives you real-time insights into how your risk landscape changes and how efficient your safeguards are, allowing you to adapt your practices as new threats emerge.

‍

Leveraging automation software can help you streamline this process significantly. With useful integrations, compliance automation solutions can reduce manual effort and potential human error, giving you a centralized view of your security posture. You can generate reports in real time and maintain a more scalable and efficient compliance environment.

‍

Manage HIPAA risk assessments efficiently with Vanta

According to a 2025 Deloitte report, 53% of healthcare executives cited the need to improve consumer engagement, trust, and the overall consumer experience to drive organic growth. One of the best ways to do that today is through Vanta, a trust management platform that supports HIPAA and 35+ other compliance frameworks and standards.

‍

Vanta can give you guidance and resources across policies, controls, and documentation, reducing the uncertainty that stems from interpretive regulations. Depending on your tech stack, the platform can automate multiple HIPAA compliance workflows, including risk assessments and policy management.

‍

Vanta’s HIPAA compliance solution comes with:

‍

• Built-in governance and training solutions
• Ready-to-use document templates with an in-app editor
• Centralized, real-time tracking dashboard
• Automated documentation management powered by 375+ integrations
• Training videos created by Vanta’s security and privacy experts that include:
  
  • An overview of HIPAA
  • Key definitions
  • Patient rights
  • The Privacy Rule
  • Securing sensitive data and patient information

‍

The platform also has a cross-mapping feature, which lets you save time by reusing overlapping controls for standards and frameworks like SOC 2, HITRUST, or ISO 27001.

‍

Schedule a custom demo today to explore Vanta’s features firsthand.

‍

{{cta_simple18="/cta-blocks"}}  | HIPAA product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

‍