What’s actually included in a HIPAA Risk Assessment service?
A proper HIPAA Security Risk Assessment (SRA) goes far beyond checking a few boxes or running a scan. When performed correctly, it identifies where electronic protected health information (ePHI) lives, who has access, what safeguards are in place, and where your gaps are, along with documented evidence and a plan to fix what’s missing.
Here’s what’s typically included in a full HIPAA Risk Assessment engagement plus the deliverables, expected evidence, and how long it should take. HIPAA Risk Assessment services usually include:
- A complete inventory of ePHI systems and data flows
- Identification of vulnerabilities and threats to confidentiality, integrity, and availability
- Likelihood and impact analysis for each risk
- Documentation of existing safeguards and gaps
- A risk rating for each finding (High/Medium/Low)
- A remediation plan with action items, owners, and timelines
- Evidence documentation (policies, screenshots, logs, contracts)
A formal report and attestation are typically provided, and timelines range from 1 to 6 weeks depending on organization size and complexity.
Why This Matters
The HIPAA Security Rule (§164.308(a)(1)(ii)(A)) requires covered entities and business associates to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities” to the confidentiality, integrity, and availability of ePHI. This isn’t a one-time task, and it must be updated regularly, especially when your systems or operations change.
Importantly, the Office for Civil Rights (OCR) doesn’t just want to see that a risk assessment was done. They want to see how thorough it was, what you found, what you prioritized, and what actions you took. Many clinics that face fines or corrective action plans during HIPAA investigations either didn’t do a proper assessment, or can’t show documentation to prove it.
What’s Typically Included in a HIPAA Risk Assessment?
Here’s a breakdown of what most reputable HIPAA risk assessment services should include:
1. Data Mapping and ePHI Inventory
- Identification of all systems, platforms, and locations where ePHI is created, received, maintained, or transmitted (EHRs, email, cloud, USBs, fax services, etc.)
- Shadow IT discovery and workflows that bypass formal systems
2. Vulnerability and Threat Analysis
- Identification of gaps in technical safeguards (no encryption, weak access control)
- Assessment of administrative weaknesses (no terminated user tracking)
- Evaluation of physical vulnerabilities (unlocked storage, shared workstations)
3. Risk Determination Matrix
- Likelihood × Impact scoring to calculate risk level
- Clear rationale for each rating, aligned with HHS/OCR guidance
4. Safeguard Review
- Review of existing controls: policies, technical tools, physical barriers
- Highlighting compensating controls if ideal safeguards aren’t in place
5. Evidence Collection
- Screenshots of implemented controls (password settings, logs)
- Policy documentation and logs
- Vendor contracts and Business Associate Agreements (BAAs)
- Asset and access inventories
6. Remediation Plan
- Action items for each risk
- Assigned ownership
- Suggested timelines and prioritization (fix high-risk items in 30 days)
- Optional: integration with risk registers or project tracking tools
7. Formal Documentation and Attestation
- PDF report with findings, ratings, and evidence
- Attestation letter or cover page stating the risk assessment was conducted in alignment with HIPAA
- Optional executive summary for board, compliance committee, or auditors
Timeline Expectations
The timeline depends on your size and complexity, but here’s a typical breakdown:
| Organization Size | Timeline |
|---|---|
| Solo practice | 1–2 weeks |
| Small group practice | 2–3 weeks |
| Medium-sized clinic or FQHC | 3–4 weeks |
| Large multi-site system | 4–6+ weeks |
Cloud-first or hybrid environments may take longer if integrations and third-party vendors are extensive.
What Evidence Should You Expect to Receive?
OCR expects documentation, not just conclusions. At a minimum, your SRA deliverables should include:
- Date of completion and scope
- Full risk analysis report
- Risk rating methodology
- Evidence appendices or folder structure
- Remediation timeline or risk management plan
- A method for tracking follow-up (spreadsheet, worklist, risk register, or ticketing tool)
Comparing HIPAA Risk Assessment Services: Platform vs. Partner
There are a growing number of companies offering HIPAA SRA services, but they’re not all built the same. Some lean toward automation, others offer templates, and some take a hands-on, healthcare-first approach.
| Type | Examples | Strengths | Weaknesses |
|---|---|---|---|
| Automation-first | Vanta, Drata | Fast, API integrations, strong in tech stacks | Often light on healthcare nuance, limited in physical/admin safeguards |
| Template-based compliance tools | Compliancy Group, Accountable HQ | Built for HIPAA, provide a framework | May feel checkbox-heavy, need manual effort to adapt |
| Healthcare-specific platforms | Medcurity, Secureframe, Aptible | Deep understanding of healthcare workflows, tailored controls | Slightly longer process but higher results/ findings |
Why This Matters
OCR enforcement actions have made it clear: automated scans alone are not sufficient for HIPAA compliance. Your assessment must reflect real operations, including how ePHI is handled across front desks, clinical devices, cloud EHRs, mobile phones, and remote staff.
That’s where specialized services like Medcurity offer a major advantage. The platform is built for clinics, FQHCs, and healthcare systems, mapping real-world workflows and producing actionable risk ratings tied to live systems, not just best-practice theory.
In Conclusion
Not all HIPAA Risk Assessments are created equal. If your risk analysis feels more like a checkbox than a roadmap, you’re not getting what the Security Rule requires, or what OCR expects. A strong SRA includes real-world evidence, a thoughtful remediation plan, and documentation you can stand behind in an audit or breach. Don’t settle for vague reports. Make sure your assessment gives you the tools (and proof) you need to improve security and reduce liability.
Leave a Reply