HIPAA Ready

Security Risk Assessment Template

Regulatory basis: 45 CFR 164.308(a)(1)(ii)(A) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.

Risk Assessment Methodology

The following nine-step methodology is consistent with NIST SP 800-30 (Guide for Conducting Risk Assessments) as referenced in the HHS Security Rule guidance. Each step should be documented thoroughly -- the documentation itself is a compliance requirement under 45 CFR 164.316.

Step 1: Scope the Assessment

Define the boundaries of the assessment. Identify all systems that create, receive, maintain, or transmit ePHI. This includes:

  • Electronic health record (EHR) systems
  • Practice management software
  • Email systems used for PHI communication
  • Mobile devices and laptops
  • Cloud storage and SaaS applications
  • Medical devices connected to the network
  • Backup and archival systems
  • Business associate systems (to the extent they handle your ePHI)

Step 2: Identify Data Collection and Storage Points

Document where ePHI enters the organization, where it is stored, how it moves between systems, and where it exits. Create a data flow diagram showing:

  • Points of ePHI creation (patient intake, lab results, imaging)
  • Internal data flows (system to system, department to department)
  • External data flows (referrals, insurance claims, patient portals)
  • Storage locations (databases, file servers, cloud storage, paper-to-digital conversions)
  • Disposal or destruction points

Step 3: Identify Threats

Enumerate potential threat sources and threat events that could exploit vulnerabilities. Common categories include:

CategoryExamples
NaturalFloods, earthquakes, power outages, fires
Human (intentional)Hacking, ransomware, social engineering, insider theft
Human (unintentional)Misdirected emails, lost devices, misconfigured systems
EnvironmentalHVAC failure, water damage, electrical surges

Step 4: Identify Vulnerabilities

For each system in scope, identify technical, administrative, and physical vulnerabilities. Methods include vulnerability scanning, penetration testing, review of audit logs, interviews with system administrators, and review of prior audit findings. Cross-reference against the safeguard checklists in 45 CFR 164.308, 164.310, and 164.312 to identify gaps.

Step 5: Assess Current Controls

Document the security controls currently in place for each system. Evaluate whether controls are implemented correctly and operating effectively. This includes reviewing policies and procedures, technical configurations, training records, and physical security measures.

Step 6: Determine Likelihood of Threat Occurrence

For each threat/vulnerability pair, estimate the likelihood that the threat will successfully exploit the vulnerability given current controls. Use a consistent scale:

High
The threat source is highly motivated and sufficiently capable, and controls are ineffective.
Medium
The threat source is motivated and capable, but controls in place may impede successful exercise of the vulnerability.
Low
The threat source lacks motivation or capability, or controls are in place to prevent or significantly reduce the vulnerability.

Step 7: Determine Impact

Assess the impact to the organization if a threat successfully exploits a vulnerability. Consider impact to confidentiality (unauthorized disclosure), integrity (unauthorized modification), and availability (loss of access) of ePHI. Use the same High/Medium/Low scale. Factor in the volume of records potentially affected -- breaches affecting 500 or more individuals trigger additional notification requirements under 45 CFR 164.408.

Step 8: Determine Risk Level

Combine likelihood and impact to assign a risk level to each threat/vulnerability pair. A standard risk matrix:

Likelihood / ImpactHighMediumLow
HighCriticalHighMedium
MediumHighMediumLow
LowMediumLowLow

Step 9: Document Findings and Remediation Plan

Compile all findings into a risk register. For each identified risk, document:

  • Description of the threat/vulnerability pair
  • Existing controls
  • Risk level (from Step 8)
  • Recommended corrective action
  • Responsible party and target completion date
  • Residual risk after corrective action

Per 45 CFR 164.308(a)(1)(ii)(B) (Risk Management), implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The risk assessment must be updated periodically and when there are significant changes to the environment.

Frequency and Documentation

While the Security Rule does not prescribe a specific frequency for risk assessments, OCR guidance and enforcement actions indicate that annual assessments are a reasonable practice. Risk assessments must also be updated when significant changes occur -- new systems, mergers, security incidents, or changes in regulatory requirements. All documentation must be retained for six years per 45 CFR 164.316(b)(2)(i).