Annual HIPAA Risk Assessment: What Most Orgs Get Wrong

A $4.75 Million Wake-Up Call That Started With a Checkbox

In 2023, Banner Health paid $1.25 million to settle with OCR after investigators found the organization had failed to conduct an enterprise-wide risk analysis. That same year, a small physician practice in the Southeast assumed their annual HIPAA risk assessment was covered because they'd filled out a spreadsheet once. It wasn't. OCR didn't care about the spreadsheet.

I've seen this pattern dozens of times. An organization believes it has completed a risk assessment because someone, somewhere, checked a few boxes on a template downloaded from the internet. But when OCR comes knocking — and they do come knocking — that document crumbles under the slightest scrutiny.

Your annual HIPAA risk assessment isn't a form. It's a living process. And if you're treating it like a chore to rush through every December, you're building a compliance house on sand.

What an Annual HIPAA Risk Assessment Actually Requires

Let's clear this up fast, because it's the single most searched question on this topic.

The HIPAA Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires covered entities and business associates to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." That's the legal language.

In practice, here's what it means. You must identify every system that creates, receives, maintains, or transmits ePHI. You must document threats to each of those systems. You must evaluate the likelihood and impact of each threat. And you must document what safeguards you already have in place — and where the gaps are.

HHS itself publishes a Security Risk Assessment Tool that walks smaller practices through this process. It's a starting point, not a finish line.

Why "Annual" Is the Minimum, Not the Standard

The Security Rule doesn't actually say "annual." It says risk analysis must be conducted, and then reviewed and updated regularly. Industry consensus — and OCR's enforcement behavior — has settled on at least once per year as the baseline. But if your organization undergoes a major change (new EHR system, office relocation, merger, breach incident), you need to reassess immediately.

I've worked with organizations that conduct quarterly mini-reviews and a full assessment annually. That approach consistently performs better during OCR audits than the once-a-year-and-forget-it model.

The Five Mistakes I See in Almost Every Risk Assessment

1. Confusing a Gap Analysis With a Risk Assessment

A gap analysis asks, "Do we have a policy for X?" A risk assessment asks, "What's the probability that threat Y will exploit vulnerability Z, and what would the impact on PHI be?" They're related but fundamentally different exercises. OCR has repeatedly cited organizations for performing one and calling it the other.

2. Ignoring Paper Records and Verbal Disclosures

The Security Rule focuses on ePHI, but the Privacy Rule covers all forms of PHI. Your risk assessment should account for physical records, verbal conversations in shared spaces, and fax transmissions. I've seen practices with airtight server security that leave patient charts in unlocked filing cabinets. That's a finding.

3. Not Documenting the Process

If you didn't write it down, it didn't happen. OCR investigators want to see the methodology, the people involved, the date range, the systems evaluated, and the risk ratings assigned. A polished summary report without supporting documentation is a red flag, not a reassurance.

4. Skipping the Remediation Plan

Identifying risks is only half the job. The other half is documenting how you plan to address them — and then actually doing it. The infamous Anthem breach settlement of $16 million in 2018 highlighted, among other failures, the organization's lack of follow-through on identified risks. OCR's resolution agreement with Anthem remains one of the largest in HIPAA history.

5. Excluding Business Associates

Your annual HIPAA risk assessment must account for risks introduced by business associates. That cloud storage vendor, that billing company, that shredding service — each one touches PHI and introduces risk. If you're not tracking their compliance and including them in your risk picture, you have a blind spot the size of a freight train.

What OCR Actually Looks for During an Investigation

I've reviewed dozens of OCR resolution agreements. The pattern is remarkably consistent. Here's what triggers the biggest penalties:

• No risk assessment at all. This is the number one finding in OCR settlements. Not a bad risk assessment — no risk assessment.
• A risk assessment that doesn't cover the full environment. Partial assessments that miss departments, locations, or system types are treated almost as harshly as having none.
• No evidence of updates. A risk assessment from 2021 sitting in a drawer does nothing for you in 2026. OCR wants to see a pattern of regular review.
• No connection between identified risks and mitigation actions. If you identified a risk and then did nothing about it for two years, that's worse than not identifying it at all — because now you have documented knowledge of a vulnerability you chose to ignore.

In 2023, OCR settled with Lafourche Medical Group for $480,000. The practice had no risk analysis at all. They were a relatively small operation. Size doesn't protect you.

Building a Risk Assessment That Actually Holds Up

Start With an Asset Inventory

You cannot assess risk to systems you haven't identified. Begin by cataloging every device, application, and location where ePHI lives. Laptops, mobile devices, cloud platforms, EHR systems, email servers, backup tapes — all of it. This inventory becomes the foundation of your entire assessment.

Map Threats and Vulnerabilities to Each Asset

For each asset, ask two questions: What could go wrong? And what's already in place to prevent it? Common threats include ransomware, insider snooping, device theft, phishing attacks, and natural disasters. Common vulnerabilities include unpatched software, lack of encryption, weak passwords, and insufficient workforce training.

Speaking of workforce training — it's consistently one of the most overlooked safeguards. Your staff is both your greatest asset and your greatest vulnerability. If they haven't completed current HIPAA training, your risk assessment should flag that as a high-priority gap. Our HIPAA Fundamentals course covers exactly what your workforce needs to understand about PHI handling, breach notification, and day-to-day compliance.

Assign Risk Ratings That Mean Something

Use a consistent methodology. Most organizations use a likelihood-times-impact matrix, rating each on a scale of 1 to 5. A risk with high likelihood and high impact gets prioritized. A risk with low likelihood and low impact gets monitored. The key is consistency — and documentation of how you arrived at each rating.

Build a Remediation Roadmap

Every identified risk above your organization's risk tolerance should have a corresponding action plan. That plan should include the mitigation step, the responsible person, a target completion date, and the current status. This document becomes your proof of good faith. OCR doesn't expect perfection. They expect effort, documentation, and progress.

How Often Should You Really Be Doing This?

Here's the direct answer for anyone searching this question: conduct a full annual HIPAA risk assessment at minimum, with interim reviews after any significant change to your operations, technology, or workforce. "Significant change" includes new software deployments, physical office moves, mergers or acquisitions, security incidents, and changes to state or federal regulations.

Organizations that treat risk assessment as an ongoing program — not an annual event — consistently fare better in OCR investigations and experience fewer breaches. The most compliant organizations I've worked with integrate risk assessment into their monthly operational reviews.

Your Risk Assessment Is Only as Good as Your Team's Training

Here's what I tell every client: you can have the most beautiful risk assessment document ever produced, but if your front desk staff clicks a phishing link tomorrow, none of it matters. Risk assessment and workforce training are two sides of the same coin.

Your risk assessment will almost certainly identify workforce training gaps. When it does, act on that finding immediately. Explore the full HIPAACertify training catalog to address those gaps with structured, current coursework that covers everything from breach notification requirements to ePHI access controls.

Every year that passes without a proper annual HIPAA risk assessment is a year you're gambling with your organization's reputation, your patients' trust, and potentially millions of dollars in penalties. The process doesn't have to be painful. But it does have to be real.

Start now. Document everything. And don't wait for OCR to tell you what you should have already known.