Let me clear something up before we go any further. If you searched for "hippa risk assessment," you're looking for the right thing — you just spelled it differently than the feds do. It's HIPAA, not HIPPA. Two A's, one P. The Health Insurance Portability and Accountability Act. I bring this up because I've seen covered entities misspell it on their own compliance documentation, and that's never a great sign when OCR comes knocking.
But the spelling isn't what matters. What matters is whether you've actually done a proper risk assessment. Because if you haven't, you're sitting on the single most cited violation in HIPAA enforcement history. And that's not an exaggeration.
The #1 HIPAA Violation Isn't a Breach — It's Skipping the Risk Assessment
Here's a pattern I've watched play out for over a decade. A healthcare organization suffers a breach. OCR investigates. The first thing they ask for is the risk assessment. And the organization either doesn't have one, has a one-page checklist from 2017, or confuses a gap analysis with a real Security Risk Analysis (SRA).
The result? Massive penalties — not just for the breach itself, but for the failure to assess risk in the first place.
Look at the Premera Blue Cross settlement in 2020: $6.85 million. A major finding? Failure to conduct a sufficient risk analysis. Or take the $3 million settlement with the University of Rochester Medical Center — OCR specifically cited the lack of a comprehensive, enterprise-wide risk analysis as a core failure. You can review these enforcement results yourself on the HHS HIPAA Enforcement page.
This isn't obscure regulatory minutiae. The risk assessment is the foundation of HIPAA's Security Rule. Without it, everything else — your policies, your encryption, your training — is built on sand.
What Exactly Is a HIPAA Risk Assessment?
A HIPAA risk assessment — formally called a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A) — is a systematic process where you identify every place ePHI lives, flows, and could be compromised within your organization. You evaluate threats. You evaluate vulnerabilities. You document the likelihood of exploitation and the potential impact. Then you build a plan to reduce risk to a reasonable and appropriate level.
That last phrase — "reasonable and appropriate" — is directly from the regulation. OCR doesn't expect perfection. They expect a documented, good-faith effort to understand and manage the risks to patient data.
What a HIPAA Risk Assessment Is NOT
- It's not a one-time checkbox exercise you do during onboarding and forget.
- It's not a software scan of your network (though that can be a piece of it).
- It's not a vendor questionnaire your EHR company sends you.
- It's not something your IT person handles alone while the compliance team stays uninvolved.
I've seen all four of these misconceptions lead directly to enforcement actions. If your "risk assessment" fits on a single page, it's not a risk assessment.
The Six Steps OCR Actually Expects You to Follow
HHS has published detailed guidance on how to conduct a proper risk analysis. I'd recommend reading the full document on HHS.gov's Security Risk Analysis guidance page. Here's the practical breakdown:
1. Identify Where ePHI Lives
Every system, device, application, and workflow that creates, receives, stores, or transmits electronic protected health information. Laptops, mobile phones, cloud platforms, fax servers, backup tapes, even that shared spreadsheet on Brenda's desktop. All of it.
2. Identify Threats and Vulnerabilities
Threats are things that could go wrong: ransomware attacks, stolen laptops, disgruntled employees, natural disasters. Vulnerabilities are weaknesses that make those threats more likely: unpatched software, no encryption, weak passwords, lack of workforce training.
3. Assess Current Security Measures
What safeguards do you already have in place? Are they working? When was the last time you tested them? Document everything.
4. Determine the Likelihood and Impact
For each threat-vulnerability combination, estimate how likely it is to occur and what the impact would be if it did. This doesn't have to involve complex math — but it does have to involve honest, documented analysis.
5. Determine the Level of Risk
Combine likelihood and impact to assign a risk level. High, medium, low — whatever framework you use, make it consistent and defensible.
6. Document Everything and Build a Remediation Plan
This is where most organizations fail. They do some version of steps one through five in their heads, but they never write it down. OCR's position is clear: if it's not documented, it didn't happen. Your remediation plan should include specific actions, responsible parties, and deadlines.
How Often Do You Need to Do a HIPPA Risk Assessment?
This is one of the most common questions I get, and the answer surprises people. The HIPAA Security Rule doesn't specify an exact frequency. It says the risk analysis must be "ongoing."
In practice, OCR expects you to review and update your risk assessment at least annually, and any time there's a significant change — a new EHR system, a move to cloud hosting, a merger, a breach, or a major change in operations.
I tell every client the same thing: treat it as an annual process with trigger-based updates throughout the year. That's what keeps you defensible.
The $1.5 Million Mistake Small Practices Keep Making
There's a dangerous myth that risk assessments are only for hospitals and large health plans. OCR has made it painfully clear that small practices are not exempt.
In 2018, Filefax, Inc. — a small medical records storage company — paid $100,000 for improperly disposing of PHI. The investigation also revealed basic security failures that a proper risk assessment would have identified. Small covered entities and business associates are just as obligated under the Security Rule as large health systems.
If you run a two-provider dental practice, a solo behavioral health practice, or a small billing company, the rule applies to you. The scope of your assessment may be smaller, but the requirement is identical.
Your Workforce Is Part of the Risk Equation
A risk assessment isn't just about technology. It's about people. Your workforce — from front-desk staff to clinicians to IT admins — represents both your biggest vulnerability and your strongest safeguard.
When I review risk assessments, I always look at whether workforce training is addressed as both a current safeguard and a remediation action. If your staff hasn't completed HIPAA training in the last 12 months, that's a documented vulnerability. Period.
If you need to close that gap quickly, explore the HIPAA training catalog at HIPAACertify. Building a culture of compliance starts with making sure every member of your workforce understands their role in protecting PHI — and a comprehensive training program is one of the most effective risk mitigation strategies you can implement.
Tools That Can Help (And Their Limits)
HHS offers a downloadable Security Risk Assessment Tool designed specifically for small and medium practices. It walks you through the process step by step. It's not flashy, but it covers the essentials OCR looks for.
That said, no tool replaces judgment. You still need someone who understands your workflows, your technology environment, and the specific threats your organization faces. For many practices, that means bringing in outside expertise — or at minimum, ensuring the person leading the assessment has received adequate HIPAA compliance training.
What Happens If OCR Audits You Tomorrow
Here's the scenario I want you to imagine. OCR sends a data request letter. They want your most recent risk assessment within 10 business days. Can you produce it?
Not a summary. Not a promise that you'll get to it next quarter. A complete, dated, documented Security Risk Analysis that identifies threats, maps ePHI flows, assigns risk levels, and includes a remediation plan with timelines.
If the answer is no, you know what to do next. And you know the cost of waiting. The organizations that end up on HHS's enforcement highlights page almost always had time to fix the problem before OCR showed up. They just didn't use it.
Start Today, Not Next Quarter
Whether you searched for "hippa risk assessment" or "HIPAA Security Risk Analysis," the action item is the same. Sit down this week. Identify where your ePHI lives. Document the threats. Evaluate your safeguards. Write it down. Assign owners. Set deadlines.
Then do it again next year.
That's not just compliance. That's how you protect your patients, your staff, and your organization from becoming the next cautionary tale on the OCR wall of shame.