HIPAA Risk Assessment Checklist for Medical Practices

HIPAA doesn't suggest you do a risk assessment. It requires one. The Security Rule (§164.308(a)(1)) makes it mandatory for every covered entity and business associate. No exceptions for practice size. No exceptions for budget. No exceptions for "we've never had a problem."

Yet HHS audit data shows most small practices either skip risk assessments entirely or do them so poorly they don't count. OCR has fined practices as small as two providers for failing to conduct one. It's the single most common finding in HIPAA enforcement actions — and the easiest one to prevent.

This checklist walks you through every area your risk assessment must cover. Use it as a starting point, then bring in professional guidance to turn findings into action.

How Often and When to Reassess

At minimum, conduct a full risk assessment once per year. But you should also reassess after major changes: new EHR system, new office location, staff turnover in IT or management roles, adding telehealth, or any security incident.

A risk assessment isn't a one-time checkbox. It's an ongoing process that reflects your current environment. The practice you operate today — with telehealth, cloud EHR, connected devices, and remote access — isn't the same one you ran three years ago. Your risk profile changes every time you add a system, a vendor, or an employee.

What a Risk Assessment Actually Covers

A proper HIPAA risk assessment identifies where electronic protected health information (ePHI) lives, how it moves through your practice, and what threatens it. You then rate each risk by likelihood and potential impact. Finally, you document what you'll do about each risk — implement a control, accept the risk with justification, or transfer the risk through insurance.

The process has three phases: inventory and data flow mapping, threat and vulnerability identification, and risk rating with remediation planning. Here's the detailed breakdown by safeguard category.

1. Administrative Safeguards

Administrative safeguards are your policies, procedures, and workforce management. They're the foundation everything else sits on — and where most HIPAA violations originate.

• Designated Security Officer: Name one person responsible for HIPAA security oversight. This can be an office manager, practice administrator, or an outside consultant — but someone's name goes on the record. This person owns the risk assessment process and remediation tracking.
• Written Security Policies: Document policies covering access to ePHI, password requirements, acceptable use, mobile device management, remote access, and incident response. "We just know the rules" doesn't count. Policies must be written, dated, version-controlled, and accessible to all staff.
• Workforce Training: Every employee who touches ePHI needs security training at hire and at least annually. Topics must include phishing recognition, password rules, proper PHI handling, breach reporting, and social engineering awareness. Document who trained, when, on what topics, and keep sign-in records.
• Access Management: Review who has access to which systems. Does the front desk receptionist need access to billing reports? Does a medical assistant need access to financial data? Does a departed employee still have active credentials? Apply the minimum necessary standard — people access only what their job requires, nothing more.
• Contingency Planning: Document your data backup plan, disaster recovery plan, and emergency operations plan. What happens if your server crashes? If ransomware locks your files? If a fire destroys your office? Test your backups quarterly and document the results.
• Business Associate Agreements: List every vendor that touches ePHI — EHR provider, cloud storage, billing company, IT support, answering service, phone system vendor, shredding service, even your cleaning company if they access areas with PHI. Each needs a current, signed BAA. Review the list annually.
• Incident Response Procedures: Document who does what when a security event occurs. Who disconnects affected systems? Who contacts your IT provider? Who manages breach notification? Who communicates with patients? An untested plan is barely better than no plan.

2. Physical Safeguards

Physical safeguards protect the actual devices and locations where ePHI exists. Encryption can't help you if someone walks out with the server.

• Facility Access Controls: Who can enter your server room or closet? Is it locked at all times? Do you track access? If your server sits in an unlocked closet that doubles as a supply room, that's a finding.
• Workstation Security: Screens in patient-facing areas should face away from foot traffic. Workstations should auto-lock after two minutes of inactivity. Position monitors so waiting patients can't read information from adjacent exam rooms or check-in desks.
• Workstation Use Policies: Define what staff can and cannot do on workstations that access ePHI. No personal email on clinical machines. No unauthorized software installations. No USB drives without explicit approval. No personal devices connecting to the clinical network.
• Device and Media Controls: Maintain an inventory of every device that stores or accesses ePHI — workstations, laptops, tablets, smartphones, portable drives, copiers with hard drives, and backup media. When you dispose of or repurpose a device, document verified data destruction. A retired laptop in a desk drawer is still your responsibility.
• Visitor Controls: Track non-staff access to areas where ePHI is visible or accessible. Vendor technicians, cleaning crews, and maintenance workers all need escort or access logging in sensitive areas.

3. Technical Safeguards

Technical safeguards are the IT controls that protect ePHI in your systems and across your network. This is where your IT team or managed provider earns their keep.

• Unique User Identification: Every user gets a unique login. No shared accounts — ever. When three staff members share one EHR login, your audit logs are meaningless and you can't track who accessed what.
• Role-Based Access Controls: Configure systems so staff only see what they need for their job function. Your billing clerk doesn't need access to clinical notes. Your medical assistant doesn't need access to financial reports. Review and adjust permissions whenever someone changes roles.
• Multi-Factor Authentication: Passwords alone are no longer adequate. Enable MFA on your EHR, email, remote access, cloud storage, and admin consoles. OCR increasingly treats missing MFA as a failure to implement reasonable access controls.
• Automatic Logoff: Configure all systems to terminate sessions after a defined idle period. Clinical workstations should lock at two minutes. Administrative systems at five minutes maximum.
• Audit Logging: Your systems must record who accessed which ePHI, when, and from where. EHR systems have this built in, but you need to actually review the logs. Set a monthly review schedule. Look for access outside business hours, bulk record views, and access by departed employees.
• Encryption at Rest: ePHI stored on servers, workstations, laptops, and portable devices must be encrypted. Full-disk encryption on every laptop is non-negotiable. If an unencrypted laptop is stolen, that's an automatic reportable breach — encryption is the single most effective breach penalty reducer.
• Encryption in Transit: Data moving across networks needs encryption. TLS for email containing ePHI. HTTPS for your EHR. VPN for remote access. No ePHI transmitted over unsecured Wi-Fi or standard text messages.
• Integrity Controls: Implement measures to confirm ePHI hasn't been altered or destroyed without authorization. XDR endpoint protection serves double duty here — it detects unauthorized file modifications and prevents malware from corrupting patient data.
• Vulnerability Scanning: Scan your network at least monthly for known vulnerabilities — unpatched systems, misconfigured firewalls, open ports, and weak protocols. Quarterly external vulnerability scans supplement your internal patching program.
• Network Monitoring: Monitor your network for unauthorized access attempts, unusual traffic patterns, and data exfiltration. 24/7 monitoring through a managed detection and response (MDR) service satisfies HIPAA's requirement to detect security incidents in a timely manner.

4. PHI Access Points You Might Miss

Most risk assessments focus on computers and EHR systems. But ePHI lives in places practices often overlook:

• Phone systems and voicemail: Voicemails containing patient symptoms, test results, or appointment details are PHI. Answering service message pads are PHI. Call recordings are PHI. Your phone system needs the same assessment as your EHR. An AI receptionist eliminates voicemail PHI exposure entirely by handling every call in real time without creating unencrypted recordings.
• Fax machines: Faxes sitting in a shared tray in a hallway are accessible to anyone who walks by. Position fax machines in controlled areas and implement pickup procedures.
• Printers and copiers: Modern copiers store images of every document on internal hard drives. That includes printed patient records, insurance forms, and lab results. Include copier hard drive encryption or destruction in your media controls.
• Text messages: Staff texting patient information to each other on personal phones creates unencrypted, unmonitored PHI on devices you don't control. Standard SMS is not HIPAA-compliant.
• Paper sign-in sheets: A clipboard at the front desk where patients write their name and reason for visit exposes PHI to every person in the waiting room.
• Whiteboards and scheduling boards: Patient names and procedures visible from public areas are disclosures. Check what's visible from hallways, waiting rooms, and check-in windows.

5. Documentation Requirements

If you didn't document it, it didn't happen. That's not a saying — it's how OCR investigators operate.

• Risk Assessment Report: Document every risk identified, its likelihood rating, its potential impact, and your planned response. Date it, sign it, and store it accessibly.
• Remediation Plan: For each risk above a tolerable level, document what you'll do, who's responsible, the target completion date, and current status. Track progress and update quarterly.
• Policy Documents: Keep all security policies current. Review and update at least annually. Version-control them with revision dates so you can demonstrate history to an auditor.
• Training Records: Log every training session with dates, attendees, topics covered, and completion verification. Keep sign-in sheets or electronic confirmations.
• Vendor Documentation: Maintain a master list of all business associates with BAA status, last review date, and security attestation records.
• Retention: HIPAA requires you to keep all compliance documentation for six years from creation or last effective date — whichever is later. Don't destroy anything prematurely. Digital storage makes this easy.

What OCR Actually Looks For

When OCR investigates a complaint or breach, they follow a predictable pattern. Knowing what they prioritize helps you focus your assessment:

First question: Do you have a risk assessment? If the answer is no, the investigation escalates immediately. A missing risk assessment is treated as a systemic failure, not a documentation oversight. OCR considers it evidence that you haven't implemented the Security Rule at all.

Second question: Did you act on your findings? A risk assessment that identifies 15 risks with no remediation action is worse than not doing one — it demonstrates you knew about the problems and ignored them. That's the definition of willful neglect under HIPAA's penalty tiers.

Third question: Is your assessment current? A risk assessment from 2021 doesn't demonstrate compliance in 2025. OCR expects annual assessments and interim reassessments after significant changes.

Fourth question: Does your assessment match your actual environment? A generic template with checkboxes doesn't satisfy the requirement. Your assessment must reflect your specific systems, your specific workflows, and your specific vendors. If your assessment mentions servers but you're entirely cloud-based, OCR notices the disconnect.

Common Mistakes That Invalidate Your Assessment

Using a checklist as the entire assessment. A checklist — including this one — is a guide. A valid risk assessment requires analysis: rating risks by likelihood and impact, prioritizing them, and creating specific action plans. Checking boxes without analysis doesn't satisfy OCR.

Ignoring "addressable" specifications. In HIPAA, "addressable" does not mean optional. It means you must implement the safeguard or document why an equivalent alternative is reasonable for your environment. "We decided not to" without written justification is a violation.

Leaving the IT team out. Risk assessments require input from clinical staff, administrative staff, and IT. Your office manager knows workflows and PHI touchpoints. Your IT team knows system configurations and technical controls. You need both perspectives to produce a complete assessment.

Not addressing identified risks. Finding a risk and doing nothing about it is worse than not finding it. It shows willful neglect — an aggravating factor that pushes penalties into Tier 3 and Tier 4 territory. Every identified risk needs a documented response: mitigate, accept with justification, or transfer through insurance.

Confusing compliance with security. A risk assessment that produces a binder of policies but leaves your network unmonitored, your systems unpatched, and your staff untrained is a paper exercise. OCR looks at what you actually did, not just what you wrote down. Your cybersecurity controls must match what your documentation describes.

How a Managed IT Partner Streamlines the Process

Running a thorough risk assessment requires technical scanning, policy review, staff interviews, vendor documentation review, and ongoing monitoring — all while your practice is seeing patients. Most small practices don't have the expertise or bandwidth to do it well.

A managed IT provider with healthcare experience handles the heavy lifting:

• Technical scanning and vulnerability assessment across your entire network — workstations, servers, medical devices, and cloud services
• Policy gap analysis comparing your current documentation against OCR requirements
• Staff training delivery and documentation with tracked attendance and quarterly phishing simulations
• Remediation execution — not just identifying risks, but actually fixing them: deploying encryption, configuring MFA, patching systems, segmenting networks
• Continuous compliance monitoring that catches new risks as they emerge throughout the year, not just during annual assessment
• Audit-ready documentation maintained year-round so you're never scrambling to reconstruct records

The difference between doing this in-house and using a managed provider isn't just expertise — it's consistency. A managed provider maintains your compliance posture every day, not once a year.

Your Next Step

If your practice hasn't completed a risk assessment in the last 12 months, that should change this week. Not this quarter. Not next budget cycle. This week. Every day without a current assessment is a day you're operating out of compliance with documented OCR enforcement priority number one.

We run HIPAA risk assessments built specifically for small medical practices. You get a clear report with prioritized findings and a practical remediation plan — no hundred-page documents filled with jargon. Just actionable steps ranked by risk level, plus ongoing monitoring to keep you current year-round.

Check our pricing plans to see what fits your practice size, or schedule a risk assessment consultation to get started. We'll tell you exactly where you stand and what to fix first.

Questions? Reach out to our team. We work exclusively with small medical practices and we've seen every mistake on this list — and how to fix each one.