How to Do a HIPAA Risk Assessment: A Step-by-Step Guide for Small Healthcare Practices

If you run a small healthcare practice, you’ve probably heard that a HIPAA risk assessment is required. But what does that actually mean? What are you supposed to do? And how do you get it done without a full-time compliance officer or a six-figure consulting budget?

This guide breaks down the entire process into manageable steps. By the end, you’ll understand exactly what a HIPAA risk assessment involves, why the Office for Civil Rights (OCR) considers it non-negotiable, and how to complete one for your practice — even if compliance isn’t your day job.

What Is a HIPAA Risk Assessment (and Why Is It Required)?

A HIPAA risk assessment — formally called a “Security Risk Analysis” under the HIPAA Security Rule — is a systematic process for identifying where your practice’s electronic protected health information (ePHI) is vulnerable to threats. Think of it as a security audit specifically focused on patient data.

The requirement comes directly from 45 CFR § 164.308(a)(1)(ii)(A), which mandates that every covered entity “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of ePHI. There’s no exception for practice size. A two-physician clinic has the same obligation as a hospital system.

Here’s why this matters practically: failure to conduct a risk assessment is the single most common finding in OCR enforcement actions. Penalties for small practices typically range from $50,000 to $1.5 million per violation category. More importantly, a thorough risk assessment is the foundation every other HIPAA compliance activity is built on — without it, your policies, training, and technical controls are essentially guesswork.

Before You Start: What You’ll Need

Preparation makes the difference between a risk assessment that takes weeks of frustration and one that flows smoothly. Gather these items before you begin:

• An inventory of all hardware, software, and systems that store or transmit patient data
• A list of all vendors and business associates who handle ePHI on your behalf
• Your current HIPAA policies and procedures (if they exist)
• A network diagram or at least a description of how your systems connect
• Any previous risk assessments, audit findings, or incident reports
• Your employee roster with their roles and system access levels

You’ll also want to involve your office manager, any IT support (in-house or outsourced), and at least one clinical staff member who can speak to how patient data moves through daily workflows.

How to Do a HIPAA Risk Assessment: 7 Steps

Step 1: Map Every Location Where ePHI Lives

Start by documenting every system, device, and location where electronic patient data exists in your practice. This is almost always broader than people expect. Your EHR is the obvious one, but ePHI also lives in email inboxes, billing software, cloud storage, portable devices, backup drives, fax machines with digital memory, and even voicemail systems. Don’t forget paper-to-digital conversion points — every time a paper form gets scanned or a fax arrives as an email, ePHI is created.

For each location, document what type of patient data it contains, who has access to it, and whether it’s encrypted.

Step 2: Identify Threats to That Data

Next, identify all reasonably anticipated threats to your ePHI. Organize them into categories to make sure you don’t miss anything:

• Human threats (intentional): Hacking, phishing, ransomware, insider theft, social engineering
• Human threats (accidental): Misdirected emails, lost devices, improper disposal, weak passwords
• Environmental threats: Floods, fires, power outages, severe weather events
• Technical threats: System failures, software vulnerabilities, unpatched systems, data corruption
• Third-party threats: Vendor breaches, cloud service outages, business associate non-compliance

Step 3: Identify Vulnerabilities

For each threat, ask: what weaknesses in our current setup could allow this to happen? Common vulnerabilities in small practices include:

• No encryption on laptops, tablets, or email
• Staff sharing login credentials
• No multi-factor authentication on systems containing ePHI
• Lack of regular security awareness training
• Missing or outdated business associate agreements
• No audit logging to detect unauthorized access
• Unlocked areas where servers or network equipment are stored

Pro tip: Walk through your office and observe how staff actually handle patient information. Real-world observation reveals vulnerabilities that a desk review won’t catch.

Step 4: Evaluate Your Current Controls

Document the security measures you already have in place. This includes technical controls (firewalls, encryption, antivirus, access controls), administrative controls (written policies, training programs, incident response plans), and physical controls (door locks, security cameras, visitor logs). Be honest in this step — the goal is an accurate picture, not a favorable one.

Step 5: Rate the Likelihood of Each Risk

For each threat-vulnerability pair, assess how likely it is to actually occur using a simple 1-3 scale:

Rating	Score	What It Means
High	3	Threat is highly motivated/capable, controls are weak or absent
Medium	2	Threat is capable but existing controls provide some protection
Low	1	Threat is unlikely or controls effectively prevent exploitation

Step 6: Rate the Potential Impact

Using the same 1-3 scale, assess how severe the consequences would be if each threat-vulnerability pair were exploited. Consider financial penalties, harm to patients, reputational damage, and operational disruption. A ransomware attack that locks your entire EHR is a 3. An employee briefly viewing a record they shouldn’t have accessed is likely a 1.

Step 7: Calculate Risk Scores and Prioritize

Multiply each likelihood score by its impact score to get a risk score from 1 to 9. This gives you a prioritized list: scores of 6-9 need immediate attention, 3-4 should be in your near-term action plan, and 1-2 can be monitored and addressed during routine maintenance. The key output is a risk register — a documented list of every risk, its score, and what you plan to do about it.

5 Mistakes That Get Small Practices in Trouble

1. Doing it once and filing it away. OCR expects your risk assessment to be a living document, reviewed at least annually and updated whenever your environment changes.

2. Using a generic checklist as your assessment. A checklist is a starting point, not a risk assessment. OCR wants analysis specific to your practice’s systems, workflows, and environment.

3. Ignoring business associates. If a vendor handles ePHI on your behalf, their risks are your risks. Every business associate needs a current BAA, and their security posture should factor into your assessment.

4. Focusing only on technical threats. Administrative gaps (no training, no policies) and physical vulnerabilities (unlocked server closets, no visitor logs) are just as important under HIPAA.

5. Not documenting the process. If it isn’t written down, it didn’t happen — at least as far as OCR is concerned. Document your methodology, findings, and decision-making, not just the final results.

What Comes After the Assessment?

Completing the assessment is a milestone, but it’s the beginning of compliance, not the end. Your risk register should feed directly into a remediation action plan with specific tasks, owners, and deadlines. Critical risks (scores 6-9) should be addressed within 30 days. High risks within 90 days. And you’ll need to build an annual cycle of reviews, training, access audits, and policy updates to maintain compliance year-round.

Need Help? There’s a Faster Way

If this process feels overwhelming — you’re not alone. Most small practices don’t have the bandwidth to spend 20+ hours on a manual risk assessment while also running a practice.

QuickGuard360 was built specifically for this problem. Our AI-powered platform walks your practice through a guided risk assessment tailored to your size and specialty, automatically generates the documentation OCR expects, and keeps your compliance current year-round. Practices using QuickGuard360 typically complete their risk assessment in 60-70% less time than doing it manually.

Want to go deeper? Download our free HIPAA Risk Assessment Starter Guide — a comprehensive 10-page resource with worksheets, scoring frameworks, and action plan templates you can start using today.

Download the Free Guide →