A dermatology practice in New England paid a vendor $4,000 for a "comprehensive HIPAA risk assessment." What they got back was a 12-page PDF — mostly boilerplate language, a few checkboxes, and a certificate suitable for framing. Two years later, OCR came knocking after a breach. That certificate didn't stop the investigation. It accelerated it.

I've reviewed dozens of these cookie-cutter reports over the years. The pattern is always the same: the organization thinks the box is checked, and then an auditor or investigator pulls the thread. HIPAA risk assessment services are only as valuable as the methodology behind them — and most organizations can't tell the difference until it's too late.

This post breaks down what OCR actually expects from a risk assessment, what separates legitimate services from expensive paperweights, and what your organization needs to do right now.

Why OCR Treats Missing Risk Assessments as a Red Flag

The HIPAA Security Rule requires every covered entity and business associate to conduct an "accurate and thorough assessment of the potential risks and vulnerabilities" to ePHI. That's not a suggestion — it's 45 CFR § 164.308(a)(1)(ii)(A). And it's the single most-cited deficiency in OCR enforcement actions.

Look at the numbers. In 2018, Anthem Inc. settled with HHS for $16 million — the largest HIPAA settlement in history at that time. A core finding? Failure to conduct an enterprise-wide risk analysis. In 2023, Banner Health paid $1.25 million after OCR found the organization hadn't performed a compliant risk assessment before its 2016 breach of 2.81 million records.

OCR's Guidance on Risk Analysis makes the expectation plain: your assessment must be enterprise-wide, must identify all ePHI, must evaluate threats and vulnerabilities, and must be documented. A one-time checklist doesn't cut it.

What Legitimate HIPAA Risk Assessment Services Actually Look Like

Here's the dividing line between a real risk assessment and theater: methodology. A credible service follows a recognized framework — typically NIST SP 800-30 — and adapts it to your specific environment.

Scope That Covers Every Corner

A proper assessment doesn't just scan your EHR. It maps every system, device, location, and workflow where PHI lives or moves. That includes the fax machine in the back hallway, the third-party billing platform, the personal phones your staff uses for two-factor authentication, and the cloud backup you set up three years ago and forgot about.

If the service provider doesn't ask to see your network diagram, interview department leads, and walk your physical facility, they're not doing a risk assessment. They're doing a survey.

Threat and Vulnerability Identification

Real HIPAA risk assessment services identify specific threats — ransomware, insider misuse, natural disasters, device theft — and map them against your actual vulnerabilities. A vulnerability isn't theoretical. It's the server running Windows 2012 with no patches. It's the receptionist whose password is taped to the monitor.

Risk Scoring That Means Something

Every risk must be scored by likelihood and impact. The output should give your leadership a prioritized list of what to fix first. If the final report ranks everything as "medium," the assessor didn't do real work.

A Risk Management Plan — Not Just a Report

The assessment is step one. The Security Rule also requires a risk management process under 45 CFR § 164.308(a)(1)(ii)(B). That means you need a documented plan to reduce or mitigate every identified risk. Any service that hands you a report and walks away has left you half-compliant.

The $1.5 Million Question: How Often Do You Need One?

How often should you conduct a HIPAA risk assessment? OCR doesn't specify a fixed schedule. But the expectation is that you update your risk assessment whenever there's a significant change — a new EHR system, a merger, a move to telehealth, a workforce expansion — and review it at least annually. In practical terms, I tell organizations to budget for a thorough reassessment every year and document interim updates as changes arise.

University of Massachusetts Amherst (UMass) paid $650,000 to OCR in 2016 partly because they hadn't updated their risk analysis after a malware incident exposed ePHI. The lesson: a risk assessment from 2022 won't protect you in 2026 if your environment has changed.

Red Flags When Evaluating Risk Assessment Vendors

I've seen organizations burned by vendors who promise compliance in a box. Here's what should make you walk away.

  • No on-site or virtual walkthrough. If the vendor only sends you a questionnaire, they can't assess physical safeguards or observe real workflows.
  • Generic templates with your name pasted in. Your assessment should reference your specific systems, locations, and policies — not a dental office template repurposed for a hospital.
  • No mention of NIST. HHS explicitly recommends the NIST Cybersecurity Framework and NIST SP 800-30 as foundations for HIPAA risk analysis. If the vendor can't articulate their methodology, they probably don't have one.
  • A guaranteed "pass." There's no such thing as HIPAA certification from the government. Anyone promising you'll "pass" an OCR audit is selling confidence, not compliance.
  • No remediation guidance. A risk list without prioritized fixes is just an inventory of your problems.

What Your Workforce Needs to Know About Risk

Even the best risk assessment falls apart if your staff doesn't understand their role in protecting PHI. OCR has repeatedly cited workforce training failures alongside risk analysis failures — because they're connected. Your people are your vulnerabilities, and they're also your first line of defense.

Every member of your workforce should understand what ePHI is, how to report a suspected breach, and what your organization's specific risk mitigation procedures look like. That's not a once-a-year video. It's ongoing, role-based training that reflects the risks your assessment actually identified.

If you're building or refreshing your training program, our HIPAA training catalog offers courses designed to address the exact competencies OCR looks for during audits and investigations — from foundational workforce training to specialized modules for IT and security teams.

Do-It-Yourself vs. Outside HIPAA Risk Assessment Services

Small practices sometimes ask me whether they can do this internally. The answer is technically yes — OCR doesn't require you to hire an outside firm. HHS even provides a Security Risk Assessment Tool through HealthIT.gov designed for small and medium practices.

But here's the reality I've witnessed: internal assessments almost always undercount risks. Your IT person knows the network but may not understand HIPAA's administrative and physical safeguard requirements. Your compliance officer may understand the rules but lack the technical depth to evaluate encryption protocols or access controls.

The strongest approach combines outside expertise with inside knowledge. A qualified vendor brings methodology and objectivity. Your team brings institutional knowledge about how PHI actually flows through your organization — because it never flows the way the org chart says it does.

After the Assessment: The Three Steps Most Organizations Skip

1. Document Your Decisions

OCR doesn't expect perfection. They expect documentation. If you identify a risk and decide to accept it rather than mitigate it, write that down with a rationale. If you implement a compensating control instead of the ideal fix, document why.

2. Assign Accountability

Every remediation item needs an owner and a deadline. "We'll get to it" is not a risk management plan. I've seen organizations with beautiful assessment reports and zero follow-through — and OCR sees right through that.

3. Connect It to Breach Notification Readiness

Your risk assessment should directly inform your breach notification procedures. If you know your highest risks, you can build incident response playbooks around them. Under the Breach Notification Rule, covered entities must notify affected individuals within 60 days of discovering a breach. You don't want to figure out your response process during a crisis.

Making Risk Assessment an Ongoing Discipline

The organizations that stay out of trouble treat risk assessment as a continuous process, not an annual project. They integrate it into change management — every new vendor, every system migration, every policy update triggers a risk review.

They also tie it to training. When the risk assessment reveals that phishing is the top threat vector, the workforce training plan shifts to emphasize phishing recognition. When a new telehealth platform introduces new ePHI flows, staff get updated guidance within weeks, not months. You can explore role-specific and scenario-based training options through our HIPAA compliance training courses.

HIPAA risk assessment services aren't magic. They're a tool. The value comes from what you do with the findings — how you train your people, harden your systems, and document your decisions. OCR has made it clear, settlement after settlement, that they'll hold you accountable for the process as much as the outcome.

Start with a real assessment. Follow through on the findings. Train your workforce to live the results. That's the only formula that actually works.