Skip to main content
PHIGuard logo

How to Do a HIPAA Risk Assessment for Small Medical Practices

Last updated: March 20, 2026

TLDR

A HIPAA risk assessment identifies where your practice handles electronic protected health information (ePHI), evaluates threats and vulnerabilities, and documents your safeguards. It's required annually and is the most common deficiency in OCR enforcement actions. A 10-person practice can complete one in 4-8 hours using a structured format.

Why risk assessments are the first thing OCR looks for

When the Office for Civil Rights audits a medical practice, the risk assessment is often the first document they request. It’s also the most commonly missing one.

This matters for a specific reason: the risk assessment is the foundation of your compliance program. HIPAA Security Rule §164.308(a)(1) requires every covered entity to conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. Without it, every other compliance step you take is built on an undocumented assumption about what your actual risks are.

OCR enforcement actions against small practices consistently cite the absence of a documented risk assessment as a primary violation. Fines start at $100 per violation and can reach $1.5 million annually per violation category.

Step 1: Identify where your practice handles ePHI

Start with a list. Every system, device, and physical location where your practice creates, receives, stores, or transmits electronic protected health information goes on it.

For most small practices, this includes: the EHR system, the scheduling platform, the billing software, email, any task management or care coordination tool, cloud file storage, workstations in exam rooms and the front desk, any staff laptops, personal smartphones used for work, tablets, and fax machines with memory.

The list is usually longer than people expect. That’s fine. A comprehensive list is the point.

Step 2: Identify threats and vulnerabilities for each

For every ePHI location, identify what could go wrong. Realistic threats for a small clinic:

  • Ransomware attack on an unpatched workstation
  • Staff member clicking a phishing link
  • Laptop stolen from a car or home office
  • Cloud storage provider experiencing a breach
  • Former employee retaining access after termination
  • Paper records left in an unsecured area

For each threat, identify the vulnerabilities that make it possible: weak or shared passwords, no multi-factor authentication, devices without disk encryption, outdated operating systems, no formal offboarding process.

You don’t need a security background to do this step. You need to look honestly at how your practice actually operates.

Step 3: Evaluate what safeguards you already have

For each threat-vulnerability pair, document what your practice currently does to mitigate it. Encryption on laptops? Multi-factor authentication on the EHR login? Regular backups? Termination checklist that includes revoking system access?

Rate how effective each safeguard is. A password policy that exists on paper but isn’t enforced is a different rating than one with technical controls that require complexity and rotation.

Step 4: Assign risk levels

Rate each identified risk high, medium, or low. Use two factors: likelihood (how probable is this threat given your current vulnerabilities) and impact (what happens if it occurs: data volume exposed, financial consequences, operational disruption).

High-likelihood, high-impact risks need remediation plans before your next quarterly review. Low-likelihood, low-impact risks can go on a longer-term roadmap.

HHS’s free Security Risk Assessment tool walks through this rating process with structured questions.

Step 5: Write a remediation plan

For every high and medium risk, document three things: what you’ll do to address it, who is responsible, and by when.

Keep this practical. “Enable full-disk encryption on all staff laptops” is a remediation action. “Implement a comprehensive endpoint security strategy” is not. It’s vague enough to remain undone indefinitely.

PHIGuard’s compliance dashboard lets you assign remediation tasks to staff members and track completion. A spreadsheet works too, as long as someone is actually updating it.

Step 6: Document and retain

Store the completed risk assessment (your ePHI inventory, threat and vulnerability analysis, risk ratings, current safeguards, and remediation plan) in your compliance files.

HIPAA requires retaining compliance records for six years. File your risk assessments by date. When OCR asks for your most recent assessment, you need to be able to produce it in minutes, not hours.

Update the assessment annually. Also update it when significant changes happen: a new EHR, an office relocation, adding a new cloud service that handles PHI, or a security incident that reveals a vulnerability you hadn’t documented.

Annual updates don’t require starting from scratch. If you keep the base assessment maintained, an update takes 2-3 hours, mostly reviewing whether anything changed since last year.

Like what you're reading?

Try PHIGuard free — no credit card required.

DEFINITION

Risk Assessment
An evaluation of potential threats and vulnerabilities to ePHI. Required by HIPAA Security Rule §164.308(a)(1). Must be documented and updated regularly.

DEFINITION

Threat
Any natural, human, or environmental source with the potential to trigger a security incident. Examples: ransomware, employee error, hardware theft.

DEFINITION

Vulnerability
A weakness in your system or processes that increases the likelihood of a threat exploiting your ePHI.

Q&A

What is a HIPAA risk assessment?

A HIPAA risk assessment identifies all locations where your practice creates, stores, or transmits electronic PHI, evaluates potential threats and vulnerabilities to that information, and documents your safeguards and remediation plans.

Q&A

How long does a HIPAA risk assessment take?

A small practice can complete an initial risk assessment in 4-8 hours using a structured format. Annual updates take 2-3 hours if you keep the base assessment current.

Want to learn more?

Learn More
How often do I need to do a HIPAA risk assessment?
At minimum annually, and whenever significant changes occur — new software, new office location, major staff changes, or a security incident. The OCR expects to see documented assessments current within the past 12 months.
Does my small practice need a consultant to do a risk assessment?
No. Small practices can complete risk assessments without a consultant using structured tools or templates. The HHS.gov Security Risk Assessment (SRA) tool is free. PHIGuard's compliance dashboard guides you through the process.
What happens if I don't have a documented risk assessment?
Missing a risk assessment is the most common deficiency in HIPAA enforcement actions. The OCR has fined practices with just one or two providers for this. Fines start at $100/violation with annual maximums up to $1.5 million.

Keep reading

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.

How to Become HIPAA Compliant: A Step-by-Step Guide for Small Practices

A practical guide to becoming HIPAA compliant for small medical practices. Covers the required steps: risk assessment, policies, training, tools, and documentation.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.