What should a HIPAA risk assessment checklist include?
A strong HIPAA risk assessment checklist should cover scope definition, ePHI inventory, threat and vulnerability analysis, control validation, likelihood and impact scoring, remediation planning, vendor oversight, and recurring review. The goal is not just to satisfy a requirement on paper. It is to understand where electronic protected health information is exposed and what the organization is doing to reduce that risk in practice.12
That distinction matters. In healthcare, risk assessment failures usually do not begin with an obscure legal issue. They begin with operational drift: a cloud app nobody reevaluated, stale privileged accounts, untested backup recovery, unclear business associate responsibilities, or devices storing ePHI outside the expected workflow. Over time, those gaps compound.
In our experience, the most useful checklist is one healthcare leadership can actually run. It should help the organization answer clear questions: Where does ePHI live? Which systems and vendors touch it? Which safeguards are in place? Which gaps create the most risk to confidentiality, integrity, or availability? What evidence proves the controls are working?
Why is risk analysis the starting point for HIPAA compliance?
Risk analysis is the starting point because the HIPAA Security Rule makes it foundational. OCR guidance states that conducting a risk analysis is the first step in identifying and implementing safeguards that comply with the Security Rule, and 45 C.F.R. § 164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI.23
That means a healthcare organization should begin with reality, not templates. Before debating policy language, the IT team should know:
- where ePHI is created, received, maintained, and transmitted
- which systems, endpoints, cloud apps, and integrations store or process it
- which vendors and business associates handle it externally
- which workflows create the highest operational or patient-care risk
- which existing controls are documented, implemented, and validated
- which known gaps remain unresolved
That is why Datapath recommends tying compliance work to operating evidence instead of compliance theater. A checklist should make security easier to govern, not just easier to describe.
What are the main sections of a practical HIPAA risk assessment checklist?
The shortest useful answer is that the checklist should mirror the actual structure of risk management in a healthcare environment: scope, inventory, threats, safeguards, remediation, and review. HHS and ONC both frame risk assessment as a process that helps healthcare organizations evaluate whether administrative, physical, and technical safeguards are actually protecting ePHI.12
A practical checklist usually includes the following sections:
| Checklist area | What the organization should verify | Why it matters |
|---|---|---|
| Scope definition | The legal entity, locations, systems, and workflows in scope are clearly defined | Prevents blind spots |
| ePHI inventory | Data stores, applications, devices, and integrations touching ePHI are known | Reduces unknown exposure |
| Threat and vulnerability analysis | Credible threats and exploitable weaknesses are documented | Creates the basis for prioritization |
| Safeguard review | Administrative, physical, and technical controls are mapped and validated | Separates policy from reality |
| Likelihood and impact scoring | Risks are ranked consistently across confidentiality, integrity, and availability | Helps teams focus effort |
| Vendor and BAA review | Business associates and third parties are governed appropriately | Extends accountability beyond internal teams |
| Remediation plan | Owners, timelines, and evidence requirements exist for open risks | Turns findings into action |
| Monitoring and reassessment | Review cadence, audits, and updates are scheduled | Keeps the program current |
That structure is intentionally plain. It should be. Healthcare IT programs work better when leaders can explain them clearly under pressure.
What should the checklist require when defining scope and inventory?
The checklist should require a full accounting of where ePHI exists and how it moves. OCR guidance is explicit that the scope of risk analysis includes all ePHI a covered entity or business associate creates, receives, maintains, or transmits, regardless of medium or location.2
A useful scope-and-inventory section should verify:
- the legal entity and business units covered by the assessment
- all clinical, administrative, and operational systems that handle ePHI
- EHR platforms, patient portals, email systems, cloud storage, collaboration tools, and backup repositories
- laptops, desktops, tablets, mobile devices, and removable media that may store or access ePHI
- remote work, telehealth, and home-office workflows that introduce additional exposure
- interfaces and integrations between systems, including labs, billing, imaging, and SaaS tools
- current inventory of vendors and business associates with access to ePHI
This is one of the most common failure points. Organizations often assume the EHR is the scope. It is not. If ePHI shows up in email, logs, exports, backup jobs, printer queues, unmanaged endpoints, or a third-party cloud workflow, the risk analysis needs to account for it.
That is also why healthcare organizations evaluating outside support should review the Datapath homepage, our healthcare solutions page, and our related guide on IT HIPAA compliance requirements. The question is not whether the environment looks compliant in a meeting. It is whether the environment is governable in real life.
What should the checklist require for threat analysis and safeguards?
The checklist should require identification of reasonably anticipated threats and vulnerabilities, plus validation of the safeguards intended to reduce those risks. OCR expects organizations to identify threats, identify vulnerabilities, assess current security measures, determine likelihood and impact, and document the results.2
A practical threat-analysis section should confirm the team has evaluated risks such as:
- phishing and credential theft
- ransomware and malware
- unauthorized internal access or privilege misuse
- cloud misconfiguration and exposed data stores
- weak offboarding or stale accounts
- unsupported systems and delayed patching
- lost or stolen devices
- vendor-originated compromise
- outages, disasters, and failures affecting availability
The checklist should also verify safeguards across the three HIPAA categories:
Administrative safeguards
Administrative safeguards should include assigned ownership, risk management procedures, workforce training, incident response processes, sanction policies, and vendor governance. If leadership cannot identify who owns remediation or how exceptions are approved, the risk program is weaker than it looks.14
Physical safeguards
Physical safeguards should include facility access controls, workstation protections, device inventory, media handling, and secure disposal procedures. In hybrid healthcare environments, this should also account for laptops, mobile devices, and shared workstations used beyond the primary office.4
Technical safeguards
Technical safeguards should include unique user identification, MFA where appropriate, audit controls, logging, encryption, integrity protections, secure transmission, endpoint protection, and monitoring. These controls are only meaningful if they are active, reviewed, and tied to evidence instead of assumptions.34
How should healthcare IT leaders prioritize and document risk?
Healthcare IT leaders should rank risk based on likelihood and impact, then turn those findings into a remediation plan with owners, deadlines, and evidence requirements. OCR guidance notes that organizations should consider both the probability and criticality of potential risks to confidentiality, integrity, and availability.2
A practical prioritization section should verify:
- the organization uses a repeatable scoring method
- critical systems and high-value ePHI workflows receive more attention
- risks are ranked before and after existing controls when possible
- remediation actions are tied to named owners
- open items have dates, dependencies, and review checkpoints
- compensating controls are documented where immediate fixes are not possible
- supporting evidence is stored for audits, insurer questions, and executive review
This is where many healthcare assessments become less useful than they should be. The document may list issues, but it does not clearly show what will happen next. A serious checklist should make the next step unavoidable.
What should the checklist require for vendors, backups, and recurring review?
The checklist should require a current business associate inventory, documented BAA review, validated recovery capability, and a defined reassessment cadence. ONC and HHS both emphasize that the assessment should help reveal areas where PHI is at risk and support ongoing risk management, not a one-time exercise.12
A useful resilience-and-governance section should confirm:
- all business associates that create, receive, maintain, or transmit ePHI are identified
- BAAs are current and aligned to the services provided
- vendor access is approved, limited, and reviewed
- backup scope covers critical systems containing ePHI
- restore testing is performed and documented
- downtime procedures exist for important clinical and business workflows
- logging and monitoring support ongoing control validation
- the risk assessment is refreshed after major technology, vendor, workflow, or threat changes
This is also where broader resilience work matters. Healthcare organizations benefit from related Datapath resources like Backup and Disaster Recovery: The Complete Guide for Business IT, Managed Cybersecurity Services, and the resources and guides hub. In regulated environments, compliance, uptime, and recovery readiness are tightly connected.
How should healthcare organizations use the checklist in practice?
Healthcare organizations should use the checklist as a recurring management tool, not as a one-time audit worksheet. In practice, the strongest teams run a simple rhythm:
- Refresh scope and inventory.
- Review systems, vendors, and workflows that touch ePHI.
- Identify threats, vulnerabilities, and control gaps.
- Score and rank risks consistently.
- Assign remediation owners and due dates.
- Validate backup, logging, and access-control evidence.
- Reassess after meaningful environmental changes.
That rhythm matters because HIPAA risk assessment is not just about producing a report. It is about making the environment easier to defend, easier to recover, and easier to explain.
Why Datapath for HIPAA risk assessment and healthcare IT governance?
We approach HIPAA risk assessment the same way we approach other regulated-industry IT work: by connecting requirements to operational discipline. The point is not to generate another binder. It is to make ownership clearer, controls easier to validate, and compliance conversations less reactive.
If your healthcare organization is trying to clean up identity controls, clarify vendor accountability, improve logging, reduce audit friction, or validate whether your current recovery posture actually supports patient operations, start with the Datapath homepage, review our healthcare solutions, or talk with our team about where your current operating model is creating the most risk.
Frequently Asked Questions
What is a HIPAA risk assessment checklist?
A HIPAA risk assessment checklist is a working list of review areas used to identify where ePHI exists, what threats and vulnerabilities apply, which safeguards are in place, and what remediation is needed to reduce risk over time.
Does HIPAA require a risk assessment?
Yes. The HIPAA Security Rule requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.23
How often should a HIPAA risk assessment be reviewed?
There is no simple one-size-fits-all annual rule for every environment. In practice, organizations should revisit the assessment regularly and refresh it whenever systems, vendors, workflows, or threat conditions change in meaningful ways.
What is the biggest mistake healthcare IT teams make during risk assessment?
The biggest mistake is treating the assessment like a compliance artifact instead of an operating discipline. If the organization cannot show where ePHI lives, who owns the risks, what evidence supports the safeguards, and whether recovery works, the assessment is not doing enough.
Do business associates belong in the HIPAA risk assessment?
Yes. If a business associate creates, receives, maintains, or transmits ePHI on the organization’s behalf, that relationship belongs in the risk conversation along with access scope, safeguards, contractual controls, and escalation expectations.
Sources
- ONC Security Risk Assessment Tool
- HHS OCR: Guidance on Risk Analysis
- 45 CFR Part 164 Subpart C — Security Standards for the Protection of Electronic Protected Health Information
- HHS: Summary of the HIPAA Security Rule
