The HIPAA Security Rule requires a risk assessment. Not recommends—requires. Yet most solo practitioners and small practices have never done one, or did something informal years ago and never documented it.
A risk assessment isn't complicated. It's a systematic review of what could go wrong with your protected health information and what you're doing about it. This guide walks you through how to actually do one.
Why Risk Assessment Matters
It's Required
The HIPAA Security Rule mandates:
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information."
This isn't optional guidance—it's a regulatory requirement.
It's Frequently Cited in Enforcement
When HHS investigates HIPAA violations, one of the first questions is: "Show us your risk assessment."
Common findings:
- No risk assessment ever conducted
- Risk assessment conducted but not documented
- Risk assessment outdated (done once years ago)
- Risk assessment incomplete (didn't cover all ePHI)
It Protects You
A documented risk assessment demonstrates you've made good-faith efforts to identify and address security risks—even if something goes wrong later.
What a Risk Assessment Covers
The Core Questions
- Where is ePHI? Identify all systems, devices, and locations where electronic protected health information exists.
- What could go wrong? Identify threats and vulnerabilities to that ePHI.
- How likely is it? Assess the probability of each threat occurring.
- How bad would it be? Assess the impact if a threat materialized.
- What are you doing about it? Document current safeguards and planned improvements.
Scope
Your risk assessment should cover:
- All electronic PHI (ePHI) your practice creates, receives, stores, or transmits
- All systems that touch ePHI (EHR, email, telehealth, backups, etc.)
- All devices (computers, laptops, tablets, phones)
- All locations (office, home office, mobile)
- All people with access (you, staff, contractors, vendors)
Step-by-Step Risk Assessment Process
Step 1: Inventory Your ePHI
Document everywhere electronic PHI exists in your practice.
Common locations:
| System/Location | Type of ePHI | Who Has Access |
|---|---|---|
| EHR (e.g., SimplePractice) | All client records | You, staff |
| Laptop | Local files, EHR access | You |
| Smartphone | EHR app, email, texts | You |
| Correspondence with clients/providers | You | |
| Telehealth platform | Session recordings (if any) | You |
| Cloud backup | Backup copies | You, vendor |
| Paper (scanned) | Historical records | You |
Questions to ask:
- What systems store client information?
- What devices access those systems?
- Who has credentials to access each system?
- Where are backups stored?
- Do any third parties have access?
Step 2: Identify Threats and Vulnerabilities
For each ePHI location, identify what could go wrong.
Common threats:
| Threat Category | Examples |
|---|---|
| Technical | Malware, ransomware, hacking, system failure |
| Physical | Theft, fire, flood, power outage |
| Human | Accidental disclosure, lost device, weak password, phishing |
| Environmental | Natural disaster, building damage |
Common vulnerabilities:
| Vulnerability | Risk It Creates |
|---|---|
| No encryption | Data readable if device stolen |
| Weak passwords | Easy unauthorized access |
| No 2FA | Password alone can be compromised |
| Outdated software | Known security holes exploitable |
| No backup | Data loss if system fails |
| Untrained staff | Human error, phishing susceptibility |
| No BAA with vendor | Vendor breach exposes you |
Step 3: Assess Likelihood and Impact
For each threat/vulnerability pair, assess:
Likelihood: How probable is this?
- High: Could reasonably happen this year
- Medium: Possible but not common
- Low: Unlikely but not impossible
Impact: How bad if it happened?
- High: Large breach, significant harm, major penalties
- Medium: Moderate exposure, manageable harm
- Low: Minimal exposure, limited harm
Risk Level = Likelihood × Impact
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| High Likelihood | Medium Risk | High Risk | Critical Risk |
| Medium Likelihood | Low Risk | Medium Risk | High Risk |
| Low Likelihood | Low Risk | Low Risk | Medium Risk |
Step 4: Document Current Safeguards
For each identified risk, document what protections you already have.
Example:
| Risk | Current Safeguard |
|---|---|
| Laptop theft | Encrypted hard drive, password login |
| Unauthorized EHR access | Strong password, 2FA enabled |
| Phishing attack | Spam filter, personal vigilance |
| System failure | Daily cloud backup |
| Vendor breach | BAA in place, reputable vendor |
Step 5: Identify Gaps and Plan Improvements
Where are safeguards missing or inadequate?
Example gap analysis:
| Risk | Gap | Planned Action | Timeline | Priority |
|---|---|---|---|---|
| Lost phone | Phone not encrypted | Enable encryption | This week | High |
| No backup for local files | Only cloud backup | Add local backup | This month | Medium |
| Staff training outdated | Last training 2+ years ago | Schedule refresher | Next quarter | Medium |
| No documented policies | Informal practices only | Write policies | Next month | High |
Step 6: Document Everything
Your risk assessment documentation should include:
- Date of assessment
- Who conducted it
- Scope (what was assessed)
- Methodology (how you assessed)
- Findings (threats, vulnerabilities, current safeguards)
- Risk ratings (likelihood, impact, overall risk)
- Remediation plan (gaps and planned actions)
- Sign-off
Risk Assessment Template
HIPAA SECURITY RISK ASSESSMENT
Practice Name: _______________________
Date: _______________________
Conducted by: _______________________
SECTION 1: ePHI INVENTORY
[List all systems, devices, locations with ePHI]
System/Device: _______________________
ePHI Type: _______________________
Access: _______________________
Location: _______________________
SECTION 2: THREAT/VULNERABILITY ASSESSMENT
Threat: _______________________
Vulnerability: _______________________
Current Safeguard: _______________________
Likelihood: [ ] High [ ] Medium [ ] Low
Impact: [ ] High [ ] Medium [ ] Low
Risk Level: [ ] Critical [ ] High [ ] Medium [ ] Low
SECTION 3: GAP ANALYSIS AND REMEDIATION PLAN
Gap Identified: _______________________
Planned Action: _______________________
Responsible Party: _______________________
Target Date: _______________________
Priority: [ ] High [ ] Medium [ ] Low
SECTION 4: ATTESTATION
I attest that this risk assessment was conducted thoroughly
and accurately reflects the current security posture of this
practice.
Signature: _______________ Date: ___________
Common Risk Areas for Therapy Practices
Mobile Devices
Risks:
- Lost or stolen phone/tablet with EHR access
- Unencrypted device
- Auto-login enabled
- Client information in text messages
Mitigations:
- Enable device encryption
- Require PIN/biometric to unlock
- Enable remote wipe capability
- Disable auto-login for sensitive apps
- Use compliant messaging, not SMS
Home Office / Remote Work
Risks:
- Unsecured home WiFi
- Family members with device access
- Visible screens
- Paper records at home
Mitigations:
- Secure WiFi with strong password
- Separate user accounts on shared computers
- Privacy screen or private workspace
- Locked storage for any paper
Risks:
- Sending PHI via unencrypted email
- Phishing attacks
- Wrong recipient (typo in address)
Mitigations:
- Use encrypted email or client portal for PHI
- Training on phishing recognition
- Verify addresses before sending sensitive info
Telehealth
Risks:
- Non-compliant platform
- No BAA with platform
- Session in non-private location
- Recording without proper consent/storage
Mitigations:
- Use HIPAA-compliant platform with BAA
- Ensure private environment
- Clear recording policies and secure storage
Vendors
Risks:
- Vendor breach exposing your clients' data
- No BAA in place
- Unclear vendor security practices
Mitigations:
- BAA with every vendor handling PHI
- Verify vendor security measures
- Limit PHI shared with vendors to minimum necessary
Business Associate Agreements →
How Often to Conduct Risk Assessment
Initial Assessment
When you start your practice or first implement HIPAA compliance.
Regular Updates
No specific regulatory frequency, but best practices suggest:
- Annually: Full review and update
- When changes occur: New systems, new staff, new locations, security incidents
Triggering Events
Reassess after:
- Adding new technology (new EHR, telehealth platform)
- Security incident or near-miss
- Significant practice changes (new location, new staff)
- Regulatory updates
Frequently Asked Questions
- Do I really need to do this if I'm a solo practitioner?
- Yes. The Security Rule applies to all covered entities regardless of size. Solo practitioners must conduct and document risk assessments.
- Can I just use a checklist?
- A checklist helps but isn't sufficient. Risk assessment requires analyzing your specific practice—what systems you use, what vulnerabilities exist, what safeguards you have. Generic checklists don't capture practice-specific risks.
- How long should this take?
- For a solo practitioner with straightforward technology: 2-4 hours for initial assessment, 1-2 hours for annual updates.
- Do I need to hire a consultant?
- Not required. Many small practices conduct their own risk assessments. However, consultants can be valuable for complex situations or if you're uncertain about technical security.
- What if I find serious gaps?
- That's the point. Document the gaps, create a remediation plan, and address them systematically. A risk assessment with identified gaps and a remediation plan is better than no assessment at all.
- Where should I store my risk assessment documentation?
- Securely—the same way you protect other sensitive practice documents. Keep it accessible for potential audits. HIPAA requires retaining security documentation for 6 years.
A risk assessment isn't about achieving perfect security—it's about identifying what could go wrong, what you're doing about it, and documenting your efforts. Do it once, update it annually, and you've met a core HIPAA requirement that most small practices overlook.