Introduction
Healthcare data breaches are the most expensive incidents any organization can face, and the costs keep climbing. According to IBM's 2025 Cost of a Data Breach Report, the average healthcare breach now costs $7.42 million, the highest of any industry for the 14th consecutive year.
The primary driver: inadequate or missing risk assessments rank among the most common findings in OCR enforcement actions. In 2024 alone, HHS OCR cited failure to conduct a compliant risk analysis in 14 of 22 resolution agreements and civil money penalty cases — enforcement actions totaling nearly $10 million in penalties.
A HIPAA risk assessment isn't a compliance checkbox. It's the foundation of your entire security program. For boards and executive teams, failing to understand this process isn't a technical oversight — it's a fiduciary one.
This guide covers:
- What a HIPAA risk assessment actually requires under the law
- The three distinct assessment types most organizations overlook
- A step-by-step process for conducting one correctly
- What leadership accountability looks like when things go wrong
TL;DR
- A HIPAA risk assessment is a required, documented evaluation of all risks to protected health information (PHI), mandated under 45 CFR § 164.308 and 45 CFR § 164.402.
- Both covered entities and business associates carry legal accountability; neither can delegate away that obligation.
- Three distinct assessment types exist — Security (ePHI), Breach Notification, and Privacy — yet most organizations only conduct one.
- Failing to conduct — or poorly documenting — a risk assessment exposes organizations to penalties up to $2,190,294 per violation under the Willful Neglect tier.
- Risk assessments are not one-time events — periodic reassessment is required after technology changes, M&A activity, leadership transitions, or security incidents.
What Is a HIPAA Compliance Risk Assessment?
A HIPAA risk assessment is a systematic, documented process to identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of all PHI an organization creates, receives, maintains, or transmits. It's mandated under two distinct provisions:
- Security Rule — 45 CFR § 164.308(a)(1)(ii)(A): requires an "accurate and thorough" assessment of risks to electronic PHI (ePHI)
- Breach Notification Rule — 45 CFR § 164.402: requires a documented risk assessment whenever an impermissible disclosure occurs
Risk Assessment vs. Risk Analysis — What's the Difference?
These terms are often used interchangeably. In practice, they describe two sequential steps:
- Risk assessment — identifies what risks exist: threats, vulnerabilities, and the PHI they affect
- Risk analysis — takes those findings and assigns likelihood and impact ratings to determine priority and drive remediation
Both are required. An assessment without analysis produces a list of problems with no prioritization. An analysis without a documented assessment has no evidentiary foundation in an OCR audit.
HHS does not mandate a single methodology. Organizations have flexibility in approach based on their size and complexity, but the output must be accurate, thorough, and fully documented regardless of which method they choose.
The Three Types of HIPAA Risk Assessments
Most organizations run one risk assessment and call it complete. That's a compliance gap — a defensible HIPAA program requires all three.
Security Risk Assessment (ePHI)
This is the primary, explicitly required assessment under 45 CFR § 164.308. It evaluates all threats and vulnerabilities to electronic PHI across administrative, physical, and technical safeguards.
Scope extends further than most organizations assume. The assessment must cover:
- Network infrastructure, servers, and workstations
- Cloud environments and hosted applications
- Portable devices (laptops, USB drives, mobile phones)
- Third-party vendor and consultant systems
- Any electronic media where ePHI exists
The "accurate and thorough" standard in HHS language means this cannot be satisfied by a generic checklist tool alone. It requires expert review and must account for every system and environment where ePHI lives.
Breach Risk Assessment
Under the Breach Notification Rule, any impermissible acquisition, access, use, or disclosure of unsecured PHI is presumed to be a reportable breach — unless the organization can demonstrate a low probability of compromise through a documented four-factor analysis:
- The nature and extent of PHI involved, including re-identification risk
- Who accessed or received the PHI
- Whether the PHI was actually acquired or viewed
- The degree to which risk has been mitigated
Organizations that skip this assessment face two bad outcomes: under-reporting (which invites OCR scrutiny when breaches surface) or over-reporting every incident (which creates unnecessary regulatory and reputational exposure). The burden of proof sits with the covered entity or business associate.
Privacy Risk Assessment
This assessment extends beyond ePHI to address physical records, verbal disclosures, individual access rights, business associate agreements, and Privacy Rule compliance. It maps PHI flows — both internal and external — and is typically owned by the Privacy Officer.
It's especially relevant for organizations with hybrid environments, complex workflows, or multiple business associate relationships. The Security Rule assessment doesn't close this gap: a covered entity can pass a Security Risk Assessment and still carry material Privacy Rule exposure.
Why HIPAA Risk Assessments Are Non-Negotiable for Executive Leadership
The Enforcement Record Is Clear
OCR's settlement history makes one pattern unmistakable: inadequate risk assessments generate the largest penalties. A few examples from the record:
| Year | Entity | Settlement | Finding |
|---|---|---|---|
| 2018 | Anthem, Inc. | $16,000,000 | Security Rule failures including risk analysis deficiencies |
| 2020 | Premera Blue Cross | $6,850,000 | Risk analysis and risk management failures |
| 2024 | Cascade Eye and Skin Centers | $2,500,000 | Failure to conduct compliant risk analysis |
| 2024 | Heritage Valley Health System | $950,000 | Failure to conduct compliant risk analysis |
These aren't edge cases. In 2024, failure to conduct a compliant risk analysis appeared in 14 of 22 enforcement resolutions.
Penalty Exposure by Violation Tier
2026 HHS inflation-adjusted penalties make the financial stakes concrete:
| Tier | Culpability | Min per Violation | Max per Violation |
|---|---|---|---|
| 1 | Did not know | $145 | $73,011 |
| 2 | Reasonable cause, not willful neglect | $1,461 | $73,011 |
| 3 | Willful neglect, corrected within 30 days | $14,602 | $73,011 |
| 4 | Willful neglect, not corrected | $73,011 | $2,190,294 |
The critical governance point: when leadership "knew, or by exercising reasonable diligence would have known" of a vulnerability and failed to act, enforcement moves into Tier 3 or Tier 4 territory. At that point, the board owns the exposure — and regulators will treat it accordingly.
Business Associate Exposure Doesn't Stay with the Associate
That accountability extends beyond your own operations. In 2024, business associates accounted for just 16% of large breach reports — but 85% of affected individuals (206,921,071 people).
Covered entities cannot outsource their liability. If you fail to monitor business associate compliance, OCR can hold you accountable for their violations under the Business Associate Agreement framework.
The Strategic Case for Regular Assessments
Beyond compliance, risk assessments deliver measurable operational value:
- Identify security gaps before they become breach events
- Improve incident response readiness before an event occurs
- Enable growth — M&A, new vendors, new technology — without creating compliance blind spots
- Protect organizational reputation with patients, partners, and regulators
For boards reviewing risk posture, a documented assessment program is also the clearest evidence that oversight is functioning — which matters as much to regulators as it does to directors.
How to Conduct a HIPAA Compliance Risk Assessment: Step by Step
HHS does not mandate a specific methodology, but OCR's guidance aligns closely with the NIST risk management framework (NIST SP 800-30 and SP 800-66 Rev. 2). The steps below reflect both regulatory expectations and practical execution — with the failure points most organizations hit.
Step 1 — Define Scope and Identify All PHI Locations
Document every location where PHI is created, received, maintained, or transmitted:
- Physical assets: servers, workstations, filing systems, paper records
- Cloud environments and SaaS applications
- Third-party vendor systems with PHI access
- Portable devices: laptops, mobile phones, removable media
The most common scoping mistake is assuming PHI exists only in the EHR. In most organizations, PHI touches dozens of systems — billing platforms, scheduling tools, email archives, fax systems, and more.
Step 2 — Identify and Document Threats and Vulnerabilities
Catalog all reasonably anticipated threats across three categories:
- External: ransomware, unauthorized access, phishing, third-party breaches
- Human: employee error, insider threats, lack of training, weak access controls
- Environmental: natural disasters, power failures, hardware failures
Map each threat to specific vulnerabilities in current systems, policies, or procedures. Undocumented assessments carry no weight in an OCR audit — if it's not written down, it didn't happen.
Step 3 — Assess Existing Security Measures
Evaluate whether current safeguards are in place, properly configured, and actually used — across all three HIPAA domains:
- Administrative: policies, workforce training, access management procedures
- Physical: facility access controls, workstation use policies, device disposal
- Technical: encryption, audit logs, automatic logoff, transmission security
This is where gap analysis happens. The most common finding: safeguards exist on paper — policies written, systems purchased — but are not operationally enforced. Document both what's working and what isn't.
Step 4 — Assign Likelihood and Impact Ratings
For each threat-vulnerability combination, assign:
- Likelihood score — probability of occurrence
- Impact score — severity if it occurs
- Combined risk level — High, Medium, or Low
Both qualitative (H/M/L) and quantitative approaches are acceptable. The methodology must be applied consistently and documented.
Step 5 — Prioritize, Remediate, and Build a Risk Management Plan
Use risk level assignments to build a prioritized remediation plan. Each item needs:
- A specific, named owner (not a committee)
- A due date tied to operational reality
- Proof of closure: test results, access review evidence, screenshots, logs
This is where most assessments fail. Teams complete the assessment and shelve the remediation plan. If a fix slips, it should become visible within two weeks — not two quarters.
Step 6 — Review, Update, and Repeat
Establish a review cadence (annually at minimum) and define the triggers that require an off-cycle reassessment:
- Adoption of new technology or platforms
- Security incidents or breaches
- Leadership or ownership transitions
- M&A activity or new business associate relationships
- Significant workflow changes
Organizations in transition — new leadership, technology modernization, post-acquisition integration — face these triggers frequently. Build trigger-based reassessment into governance policy, assign a named owner for each trigger, and ensure the board or risk committee sees the outcome — not just confirmation that a review occurred.
How Tyson Martin Can Help
Many healthcare and regulated-industry organizations need HIPAA risk assessment leadership but don't have the internal capacity to execute it well. Tyson Martin serves as a board advisor and fractional CISO, with enterprise security experience at AWS, Home Depot, and Best Buy, bringing a governance-first perspective to PHI risk.
His approach is built for organizations in transition: new leadership, M&A activity, post-incident recovery, or technology modernization. Within the first 30 days, clients receive:
- A one-page top risks summary with named owners and deadlines
- A quick-win plan addressing the highest-exposure gaps
- An incident readiness check
By day 90, that becomes an executable remediation roadmap with named owners, measurable outcomes, and proof of closure requirements.
The difference from a standard compliance consulting engagement is continuity and decision authority. Rather than delivering a report and stepping away, Tyson establishes a structured operating rhythm — weekly execution check-ins, monthly risk management reviews, quarterly board updates — so that HIPAA compliance becomes an inspectable, ongoing program rather than an annual scramble.
Board reporting translates PHI risk into plain-English business impact:
- What could happen and what it would cost
- What controls are in place
- What decisions leadership needs to make
Heat maps stay consistent across reporting periods. Priorities are separated into "must fix" versus "monitor," so board conversations stay decision-focused rather than buried in technical detail.
If your organization needs to establish a defensible HIPAA risk assessment program — or is responding to an OCR finding — contact Tyson to discuss where your program stands and what needs to move first.
Frequently Asked Questions
Does HIPAA require a risk assessment?
Yes. HIPAA explicitly requires risk assessments under two provisions: the Security Rule (45 CFR § 164.308) for ePHI, and the Breach Notification Rule (45 CFR § 164.402) when an impermissible disclosure occurs. Both covered entities and business associates are subject to these requirements.
What are the 5 types of risk assessment?
Under HIPAA, organizations must conduct three assessment types: the Security Risk Assessment, Breach Risk Assessment, and Privacy Risk Assessment. In broader risk management practice, five common types exist — qualitative, quantitative, semi-quantitative, asset-based, and vulnerability-based — but HIPAA focuses on these three specifically.
What is the difference between a HIPAA risk assessment and a HIPAA risk analysis?
A risk assessment identifies what risks exist — threats, vulnerabilities, and current safeguards. A risk analysis takes those findings and assigns likelihood and impact ratings to determine remediation priority. Both are required components of a complete HIPAA Security Rule compliance process.
Who is responsible for conducting a HIPAA security risk assessment?
Responsibility typically falls on the designated HIPAA Security Officer or Compliance Officer. Organizations without dedicated in-house expertise can engage a qualified third-party advisor or fractional CISO to lead the assessment and produce defensible documentation.
How often should a HIPAA risk assessment be updated?
HHS does not specify an exact frequency, but annual review is the minimum best practice. Additional reassessments are required when new technology is adopted, organizational changes occur, security incidents happen, new business associate relationships are established, or leadership transitions take place.
What happens if an organization fails to conduct a HIPAA risk assessment?
Organizations face OCR enforcement actions and financial penalties ranging from $145 to $2,190,294 per violation, depending on culpability tier. The Willful Neglect category applies when leadership knew or should have known of the requirement, which puts risk assessment failure squarely in board governance territory.
