HIPAA Risk Assessment Checklist 2026: The Complete Guide

Why the Security Risk Assessment Matters

The HIPAA Security Rule requires every covered entity and business associate to conduct a thorough security risk assessment under §164.308(a)(1)(ii)(A). It's not optional, and it's not a one-time exercise — OCR expects it to be performed regularly and updated when your environment changes.

Failing to conduct an SRA is the most cited HIPAA violation in OCR enforcement actions. Organizations have paid millions in settlements specifically because they couldn't produce evidence of a risk assessment. Here's how to get it right.

Step 1: Scope and Inventory

Before assessing risk, you need to know exactly what you're protecting and where it lives.

• Identify all systems that create, receive, maintain, or transmit ePHI — EHR systems, patient portals, email, fax, billing software, scheduling tools, backup systems, mobile devices
• Map data flows — How does ePHI move through your organization? Document every point of entry, storage, processing, and exit (including to business associates)
• Inventory all hardware and media — servers, workstations, laptops, tablets, smartphones, USB drives, backup tapes, paper records that are scanned
• Document all network connections — internal networks, Wi-Fi, VPN, cloud services, remote access points, IoT/medical devices
• List all business associates and vendors who have access to ePHI — cloud providers, billing companies, IT support, shredding services, answering services

Step 2: Identify Threats and Vulnerabilities

For each system and data flow identified above, determine what could go wrong.

• Natural threats — fire, flood, earthquake, power outage, severe weather affecting facility or data center
• Human threats (unintentional) — employee errors, accidental disclosure, lost devices, misconfigured systems, improper disposal
• Human threats (intentional) — hacking, ransomware, phishing, insider threats, social engineering, stolen credentials
• Technical vulnerabilities — unpatched software, weak passwords, missing encryption, open ports, default credentials, missing MFA
• Physical vulnerabilities — unlocked server rooms, unattended workstations, lack of visitor logs, no camera coverage, tailgating

Step 3: Evaluate Current Security Controls

Assess what safeguards you already have in place across the three HIPAA safeguard categories.

Administrative Safeguards (§164.308)

• Security management process — Do you have documented policies and procedures? Are they reviewed and updated regularly?
• Assigned security responsibility — Is there a designated HIPAA Security Officer? Do they have authority and resources?
• Workforce security — Are background checks performed? Do you have procedures for authorizing access and terminating it when employees leave?
• Information access management — Is access to ePHI based on role and minimum necessary? Can you demonstrate who has access to what?
• Security awareness and training — Is HIPAA training conducted at hire and annually? Do you run phishing simulations?
• Security incident procedures — Do you have a documented incident response plan? Has it been tested? Do staff know how to report incidents?
• Contingency plan — Do you have data backup, disaster recovery, and emergency operations plans? When were they last tested?
• Business associate agreements — Are BAAs executed with all vendors who access ePHI? Are they current?

Physical Safeguards (§164.310)

• Facility access controls — Are server rooms locked? Are there visitor sign-in procedures? Badge access? Alarm systems?
• Workstation security — Are screens positioned away from public view? Auto-lock enabled? Clean desk policy?
• Device and media controls — Do you have procedures for disposing of devices containing ePHI? Are drives wiped or destroyed?

Technical Safeguards (§164.312)

• Access controls — Unique user IDs for every user? Emergency access procedures? Auto-logoff? Encryption at rest?
• Audit controls — Are system access logs enabled and reviewed? Can you track who accessed what ePHI and when?
• Integrity controls — Are there mechanisms to verify ePHI hasn't been altered or destroyed improperly?
• Transmission security — Is ePHI encrypted in transit (TLS/SSL)? Are there controls to prevent unauthorized interception?
• Authentication — Is multi-factor authentication enabled for remote access? For EHR systems? For email?

Step 4: Determine Risk Levels

For each threat-vulnerability pair, assign a risk level based on:

• Likelihood — How probable is this threat exploiting this vulnerability? (Low / Medium / High)
• Impact — If it happened, how severe would the consequences be? Consider harm to patients, financial loss, regulatory penalties, reputational damage. (Low / Medium / High)
• Risk level = Likelihood x Impact — This gives you a prioritized matrix for remediation

Document your rationale for each rating. OCR wants to see that you thought critically about your risks — not that you used a tool that auto-generated scores without human judgment.

Step 5: Remediation Plan

• Prioritize by risk level — Address high-risk items first, then medium, then low
• Assign owners — Every remediation action needs a responsible person and a deadline
• Document acceptance — If a risk is accepted (not mitigated), document why and get management sign-off
• Track progress — Maintain a risk register and review it quarterly
• Re-assess regularly — The SRA must be updated when significant changes occur (new systems, new locations, breaches, organizational changes) and at minimum annually

Common Mistakes That Trigger OCR Enforcement

1. Never conducting an SRA at all — The most common and most expensive mistake
2. Using a checklist without analysis — OCR wants to see threat/vulnerability pairing and risk determination, not just checkboxes
3. Doing it once and never updating — Your risk assessment must be a living document
4. Excluding systems — Every system that touches ePHI must be included, including cloud services, mobile devices, and business associates
5. Not documenting remediation — Finding risks is only half the job; you must show what you did about them