HIPAA Risk Analysis Worksheet
A step-by-step risk analysis worksheet built on the NIST SP 800-66 Rev 2 methodology. Covers threat identification, vulnerability assessment, likelihood and impact scoring, and residual risk documentation. Required by 45 CFR §164.308(a)(1)(ii)(A).
Short answer
A risk analysis worksheet for small clinics that translates HIPAA and NIST guidance into a step-by-step threat, vulnerability, and residual-risk exercise.
What is inside
- Structured threat inventory covering ePHI access points: EHR, scheduling software, email, mobile devices, and physical records
- Likelihood × impact scoring matrix with built-in risk level categories (low / moderate / high)
- Pre-populated with the most common threats found in OCR investigations of small practices
- Residual risk documentation section — records what controls are in place after mitigation
- Annotated with the specific regulatory citations so you understand what each section maps to
We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.
Editorial details
Written by: Angel Campa
Reviewed by: PHIGuard Compliance Research
Updated: April 21, 2026
Best next step: Open the matching product path
Sources
- Guidance on Risk Analysis | HHS
- NIST SP 800-66 Rev. 2 | NIST