Valtik Studios
Free Resource · HIPAA 45 CFR 164.308

HIPAA Risk Analysis Template

The document OCR asks for first during any investigation. Use this template to produce a defensible risk analysis that maps to the Security Rule requirements.

Get a Free Security CheckSee Services

Why risk analysis is the foundation

HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A) requires an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." OCR has consistently cited missing or inadequate risk analyses as the most common reason for HIPAA enforcement actions.

A proper risk analysis has six sections. Use the structure below and populate each section with your actual environment.

Section 1: ePHI asset inventory

List every system that stores, processes, or transmits electronic Protected Health Information. Columns to include:

  • System name and description
  • Vendor or internal owner
  • Categories of ePHI handled (demographics, diagnosis, treatment, billing, imaging, genetic)
  • Data volume (number of individuals, records)
  • Access method (web, API, VPN, physical)
  • User population (internal workforce, contractors, patients, Business Associates)
  • Hosting model (on-premises, cloud, hybrid)
  • Data retention period

Section 2: threats and vulnerabilities

For each asset, enumerate relevant threats and vulnerabilities. Use NIST SP 800-30 Revision 1 as your methodology reference. At minimum, consider:

  • External threats: ransomware, phishing, business email compromise, exploit of internet-facing services, supply chain compromise
  • Internal threats: workforce misuse, insider theft, accidental disclosure, departing employee data exfiltration
  • Environmental threats: natural disaster, power loss, facility incident, pandemic
  • Technical vulnerabilities: unpatched systems, weak authentication, missing MFA, unencrypted transmission, inadequate logging
  • Administrative vulnerabilities: missing policies, inadequate training, weak access review, unchecked Business Associates
  • Physical vulnerabilities: facility access, workstation security, media handling, device disposal

Section 3: likelihood and impact scoring

Score each threat-vulnerability pair for likelihood and impact. Use a 3x3 or 5x5 matrix depending on organization maturity. The scoring does not need to be mathematically precise — it needs to be defensible and consistently applied.

Likelihood scale:

  • High — Expected to occur within 12 months based on industry data and your environment
  • Medium — Plausible within 12 months but not expected
  • Low — Possible but unlikely within 12 months

Impact scale:

  • High — Significant disclosure of ePHI, operational disruption, regulatory exposure, or financial loss
  • Medium — Limited disclosure, partial operational impact, moderate regulatory or financial exposure
  • Low — Minimal disclosure, minor operational impact, low regulatory or financial exposure

Section 4: existing controls

For each risk, document what controls are currently in place. Map to the three HIPAA safeguard categories:

  • Administrative (164.308): workforce training, access management procedures, incident response plan, contingency plan, BAA program
  • Physical (164.310): facility access controls, workstation security, device and media controls, disposal procedures
  • Technical (164.312): access control, audit controls, integrity controls, authentication, transmission security

Section 5: residual risk

Risk that remains after existing controls. This is the number OCR and your compliance team will focus on. For every residual risk that is Medium or High:

  • Document why it is not reduced further
  • Specify additional controls being considered
  • Assign an owner and target date
  • Note if the risk is being accepted (with management approval)

Section 6: remediation plan

For each residual risk being actively remediated:

  • Specific control being implemented
  • Responsible party
  • Target completion date
  • Evidence of completion (what will prove the control is operating)
  • Verification method (who confirms it works)

Update cadence

A risk analysis is not a one-time document. 45 CFR 164.308(a)(1)(ii)(A) requires ongoing risk analysis. At minimum:

  • Annual comprehensive update
  • Targeted update after any material change (new system, new Business Associate, new regulation, incident)
  • Review after any security incident, whether reportable or not

OCR audit-ready version

The version OCR wants to see is a written document with version history, explicit approvals from the Privacy Officer and Security Officer, and evidence of board or executive review. A spreadsheet without context is not sufficient. A narrative PDF signed by the Security Officer satisfies.

Common OCR findings from risk analyses: asset inventory incomplete (missing Business Associate systems, missing shadow IT), threat enumeration too generic (copy-paste from template), likelihood scoring inconsistent, residual risk not addressed, no update cadence documented.

Related resources

Ready to start?

Free website security check — no obligation, no sales pitch. Delivered as a plain-English findings report in 48 hours.

Request Free Check