HIPAA Risk Assessment Requirements: What Your Practice Actually Needs (2026)

The actual regulatory requirement

The HIPAA Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires covered entities and business associates to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

That is the full text of the implementation specification. It does not tell you how to do it. It does not tell you how often. It does not give you a template. This is by design — HHS wrote the Security Rule to be scalable across a two-physician clinic and a hospital system with 40,000 employees. The tradeoff is that "scalable" also means "ambiguous," and ambiguity leads to mistakes.

What OCR actually expects

OCR has published guidance (most recently updated in 2024) that fills in what the regulation leaves out. Based on that guidance and settlement agreements, a compliant risk assessment must:

• Identify all ePHI. Every system, device, and medium where electronic protected health information is created, received, maintained, or transmitted. This includes your EHR, your email (if you send or receive patient information), portable devices, cloud storage, and paper-to-digital workflows like scanning.
• Identify threats and vulnerabilities. Threats are things that could exploit a weakness — ransomware, phishing, a lost laptop, a disgruntled employee. Vulnerabilities are the weaknesses themselves — unpatched software, no encryption, weak passwords, lack of access controls.
• Assess likelihood and impact.For each threat-vulnerability pair, estimate how likely it is to occur and how bad it would be if it did. You do not need a quantitative model. A simple high/medium/low matrix is fine as long as it's consistent and documented.
• Document current safeguards. What are you already doing to mitigate each risk? Firewalls, encryption, training, access controls, backup procedures. If a safeguard exists, write it down. If it does not, that is a gap.
• Assign risk levels and create a remediation plan. Risks rated as high need a plan with a timeline. You do not have to fix everything immediately, but you do have to show that you identified the risk, prioritized it, and are working on it.

How often you need to do this

The regulation says the risk assessment must be conducted "regularly." OCR has clarified through guidance and enforcement that this means at least annually and whenever there is a significant change to your environment. Significant changes include:

• Switching or upgrading your EHR system
• Moving to a new office or adding a location
• Adopting new technology (telehealth platforms, patient portals)
• A merger, acquisition, or change in business associates
• A security incident, even if it did not result in a breach

If your last risk assessment is from 2022 and nothing has changed since then, you are already overdue. If your last risk assessment is from 2022 and you switched EHR vendors in 2023, you are significantly overdue.

Common mistakes that lead to enforcement

OCR has imposed penalties ranging from $100,000 to over $4 million for risk assessment failures. The patterns repeat:

1. Never doing one at all

This is the most common finding in small practice investigations. The practice assumed their IT vendor "handled security" and never conducted a formal assessment. Your IT vendor may manage your firewall, but they are not conducting your HIPAA risk assessment unless you specifically hired them to do so under a documented agreement.

2. Doing a checklist instead of an assessment

A yes/no compliance checklist is not a risk assessment. A risk assessment identifies specific threats to your specific environment, evaluates how likely they are, and documents what you are doing about them. Checking a box that says "We have antivirus software" does not address whether that software is current, whether it covers all endpoints, or whether antivirus alone is sufficient for the threats you face.

3. Assessing but not remediating

Identifying risks and then putting the report in a drawer is arguably worse than not assessing at all. In the 2018 Anthem settlement ($16 million), OCR specifically cited the failure to address risks that had been identified in prior assessments. If you know about a vulnerability and do nothing, that is willful neglect under HITECH — which carries mandatory penalties.

4. Scoping too narrowly

The assessment must cover all ePHI, not just the EHR. If your front desk staff emails appointment reminders containing patient names, that email system is in scope. If physicians text each other about patients, those phones are in scope. If you use a cloud-based scheduling tool, that tool is in scope.

What to actually do

If you are a small or mid-size healthcare practice, here is a practical path forward:

1. Inventory your ePHI. Walk through every system and process that touches patient data. Write it down.
2. Use the HHS SRA Tool or equivalent. The free SRA Tool from HHS walks you through every Security Rule standard. It is not perfect, but it covers the bases and produces documentation OCR recognizes.
3. Document everything. The assessment itself, your risk ratings, your remediation plan, your timeline. Store it where you can find it in three years when OCR asks.
4. Act on the findings. Prioritize high risks. Set deadlines. Assign responsibility. Track completion.
5. Schedule the next one. Put it on the calendar. Annual minimum.

How BlackSheep fits in

BlackSheep's HIPAA compliance platform includes a guided risk assessment that maps directly to 45 CFR § 164.308(a)(1). It walks your team through asset inventory, threat identification, risk scoring, and remediation tracking — then stores everything with timestamps and version history so you have an audit trail when you need one.

It does not replace your judgment about your own environment. It gives you structure so you are not starting from a blank page every year.