HIPAA IT Risk Assessment: What Most Orgs Get Wrong

The One Document OCR Asks For First — Every Single Time

I've been involved in over a hundred HIPAA readiness reviews. And I can tell you this without hesitation: the first thing the Office for Civil Rights (OCR) asks for during an investigation is your HIPAA IT risk assessment. Not your policies. Not your training logs. Your risk assessment.

If you don't have one — or if yours is a generic template you downloaded and never customized — you're already in trouble. This isn't theoretical. OCR has levied millions of dollars in penalties against organizations that either skipped this step or treated it like a checkbox exercise.

This post breaks down exactly what a HIPAA IT risk assessment requires, where most organizations fail, and how to build one that actually protects your ePHI and your bottom line.

What Is a HIPAA IT Risk Assessment, Exactly?

A HIPAA IT risk assessment is a systematic evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by your organization. It's required under the HIPAA Security Rule at 45 CFR § 164.308(a)(1)(ii)(A).

Every covered entity and business associate must conduct one. There's no exception for size. A two-person therapy practice has the same legal obligation as a 10,000-employee hospital system. The scope and complexity will differ, but the requirement doesn't.

Risk Assessment vs. Risk Analysis — Does It Matter?

OCR uses "risk analysis" as the formal term in the regulation. In practice, "risk assessment" and "risk analysis" are used interchangeably across the industry. HHS itself uses both. Don't let semantics distract you from the substance. What matters is that you actually do it — thoroughly and regularly.

The $4.75 Million Wake-Up Call

In 2023, OCR settled with Banner Health for $1.25 million after a breach affecting nearly 3 million individuals. The investigation revealed that Banner had failed to conduct an enterprise-wide risk analysis. That same year, LA Care Health Plan paid $1.3 million for — you guessed it — failure to conduct a thorough risk assessment.

But the record that still haunts compliance officers? Premera Blue Cross paid $6.85 million in 2020 partly because their risk analysis wasn't comprehensive enough. OCR didn't just check whether a risk assessment existed. They checked whether it was adequate.

You can review the full list of enforcement actions on the HHS Resolution Agreements page. Read a few. You'll notice the same deficiency cited over and over again: insufficient or absent risk analysis.

The 6 Elements OCR Expects in Your Risk Assessment

HHS published detailed guidance on this. Here's what your HIPAA IT risk assessment must address:

Identify all ePHI. Where does it live? Servers, cloud platforms, mobile devices, email, paper-to-digital workflows. Everything.
Identify threats and vulnerabilities. Ransomware, phishing, insider misuse, unpatched systems, lost laptops, misconfigured firewalls.
Assess current security measures. What controls are already in place? Encryption, access controls, audit logs, backup procedures.
Determine the likelihood of threat occurrence. Not a guess — a reasoned, documented evaluation.
Determine the potential impact. If this threat exploits this vulnerability, what's the damage?
Assign risk levels. Combine likelihood and impact into a risk rating that drives your remediation priorities.

HHS provides a downloadable Security Risk Assessment Tool for small and medium-sized practices. It's a starting point, not a finish line.

Where I See Organizations Fail — Over and Over

Mistake #1: Doing It Once and Filing It Away

A HIPAA IT risk assessment is not a one-time event. Your IT environment changes constantly — new vendors, new applications, new devices, staff turnover. OCR expects you to review and update your risk assessment regularly. Annual reviews are the industry standard, but you should also reassess after any significant change to your infrastructure or after a security incident.

Mistake #2: Limiting Scope to the EHR

I've reviewed assessments that only examined the electronic health record system. That's a fraction of where ePHI lives. What about your billing platform? Your scheduling system? The shared drive your front desk uses? The fax-to-email service? The personal phones your providers use for patient callbacks? A proper assessment is enterprise-wide.

Mistake #3: No Documentation of Remediation

Identifying risks is half the job. The other half is documenting what you did about them. OCR doesn't expect zero risk — that's impossible. They expect you to identify risks, prioritize them, and implement reasonable measures to reduce them. If your assessment says "high risk: no encryption on laptops" and you still have unencrypted laptops two years later with no documented reason or mitigation plan, that's a violation waiting to become a penalty.

Mistake #4: Delegating Without Oversight

Hiring a vendor to perform your risk assessment is fine. Handing it off and never reading the results is not. Your organization's leadership must understand the findings and actively participate in remediation decisions. OCR holds the covered entity accountable, not the consultant.

What Your Workforce Needs to Know

A risk assessment isn't just an IT project. It touches every department that handles ePHI. Your front desk staff, your billing team, your clinical providers — they all create, receive, maintain, or transmit electronic protected health information.

That's why workforce training matters so much in this context. Your team needs to understand basic security practices: recognizing phishing attempts, locking workstations, reporting suspicious activity, and following your organization's policies for mobile devices and remote access.

If your training program is outdated or nonexistent, explore the HIPAA training catalog at HIPAACertify for role-based courses that address Security Rule requirements directly. Training doesn't replace a risk assessment, but it closes many of the human-factor vulnerabilities your assessment will uncover.

How Often Should You Conduct a HIPAA IT Risk Assessment?

The Security Rule doesn't specify an exact frequency. But OCR has made clear — through enforcement actions and published guidance — that a risk assessment must be an ongoing process. Here's the practical schedule I recommend:

Full assessment: At least annually.
Targeted reassessment: After any significant event — a breach, a new EHR deployment, a merger, a move to a new cloud platform, a shift to remote work.
Continuous monitoring: Use audit logs, vulnerability scans, and penetration tests throughout the year to feed updated data into your risk analysis.

Document everything. Dates, participants, methodology, findings, remediation plans, and follow-up actions. If OCR comes knocking, your documentation is your defense.

Your business associates — IT vendors, billing companies, cloud hosting providers, shredding services — must also conduct their own risk assessments. Your Business Associate Agreement (BAA) should require it. But here's what I see constantly: organizations sign a BAA and assume the vendor is compliant.

Ask your business associates for proof. Request a summary of their most recent risk assessment findings. If they can't produce one, that's a red flag you can't ignore. Under the breach notification rule, you're going to be publicly tied to their failures when a breach hits.

Building a Risk Assessment That Actually Works

Here's the approach I walk clients through:

Step 1: Assemble a cross-functional team. IT, compliance, clinical leadership, and operations.
Step 2: Create a complete inventory of ePHI — every system, every device, every workflow.
Step 3: Map threats to vulnerabilities. Use frameworks like NIST SP 800-30 to guide your methodology.
Step 4: Score each risk. Be honest. Downplaying risk to avoid remediation costs is how organizations end up on the OCR wall of shame.
Step 5: Build a remediation roadmap with owners, deadlines, and budget.
Step 6: Train your workforce on the controls you've implemented. Policies only work when people follow them.

If you need to strengthen the training component of your remediation plan, the HIPAACertify training catalog offers targeted courses for both technical and non-technical staff.

Stop Treating It Like a Checkbox

I've seen organizations pay millions for treating their HIPAA IT risk assessment as a paperwork exercise. I've also seen small practices avoid devastating breaches because they took theirs seriously.

The risk assessment is the foundation of your entire HIPAA security program. Every safeguard you implement, every policy you write, every training you deliver should trace back to a risk you identified and decided to address.

Do it right. Document it thoroughly. Revisit it regularly. And make sure your entire workforce — not just your IT department — understands their role in protecting ePHI. That's not just compliance. That's how you keep your patients' trust and your organization's reputation intact.