All articles
HIPAA Compliance

How to Do a HIPAA Risk Assessment Yourself: A Step-by-Step Guide for Small Practices

June 11, 20267 min read

If you run a small healthcare practice, you have probably been told you need a HIPAA risk assessment and left wondering what that means, how to do one, and whether you really have to pay thousands of dollars for it. Short answer: yes, you are required to do one, and no, you do not have to hire a consultant to get started. This guide walks you through exactly how to complete a HIPAA security risk assessment yourself, in plain English.

What is a HIPAA risk assessment (and why it matters)

A HIPAA security risk assessment, sometimes called a risk analysis, is a documented review of how your practice protects electronic protected health information (ePHI) and where that protection falls short. It is required by the HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)) for every practice that creates, stores, or transmits patient data.

It matters for two reasons. First, it is the law. Second, it is the very first document the HHS Office for Civil Rights asks for if your practice is ever investigated after a complaint or a data breach. Practices that can produce a current, documented risk assessment are in a far stronger position than those that cannot.

A risk assessment is not a one-time task. HIPAA expects you to review and update it at least once a year and after any major change, such as new software, a move, or a security incident.

Common myths that keep practices stuck

  • We are too small to be a target. Small practices are targeted precisely because their defenses are weaker. Most breaches start with a simple email mistake, not a sophisticated hacker.
  • Our EHR vendor handles HIPAA for us. Your vendor secures their platform. You are still responsible for how your practice uses it, who has access, and what happens on your devices.
  • We did one years ago, so we are covered. An outdated assessment is treated almost the same as having none. It must be current.

How to do a HIPAA risk assessment yourself, step by step

Step 1: Inventory where your patient data lives

You cannot protect what you have not located. List every system, device, and service that touches ePHI: your EHR, email, file storage, backup, staff laptops and phones, and even your website intake forms. For each, note whether it stores patient data, whether it is cloud or on-site, and whether you have a signed Business Associate Agreement (BAA) with the vendor.

Step 2: Identify the threats and vulnerabilities

For each item in your inventory, ask what could go wrong: a stolen laptop, a phishing email, a misconfigured sharing setting, a lost phone, ransomware. The goal is an honest list of the ways patient data could be exposed.

Step 3: Assess the risk of each one

Rate every threat by how likely it is to happen and how damaging it would be. A simple 1-to-5 scale for each works well. Multiply likelihood by impact to get a risk score, then sort. This tells you what to fix first instead of trying to do everything at once.

Step 4: Check your actual security settings

Most ePHI in a small practice lives in Microsoft 365 or Google Workspace. Confirm the basics are in place: multi-factor authentication for everyone, a signed BAA with Microsoft or Google, audit logging turned on, no auto-forwarding of mail to outside addresses, and a real third-party backup (neither platform backs itself up). Each gap here is a finding.

Step 5: Write down your plan to fix the gaps

For every gap, record the action, who owns it, and a target date. This remediation plan is just as important as the assessment itself, because it proves you are actively reducing risk, which is exactly what regulators want to see.

Step 6: Document everything and repeat annually

Save your completed assessment, your remediation plan, and the date. Keep all HIPAA documentation for at least six years. Then put a reminder on your calendar to do it again next year.

Do it yourself, but not from a blank page

The Spartan Shield HIPAA Compliance Kit gives you a fillable risk assessment workbook that scores your risk automatically, plus the policies, training, and breach plan that round out a complete program. Finish it this week for a fraction of a consultant cost.

See the HIPAA Compliance Kit

Frequently asked questions

How often do I need a HIPAA risk assessment?

At least once a year, and any time something significant changes in your practice.

Can I really do it without a consultant?

Yes. The Security Rule does not require an outside consultant. It requires that the assessment be thorough and documented. A good template makes that very achievable for a small practice.

Is a HIPAA risk assessment the same as being HIPAA compliant?

No. The risk assessment is the foundation, but full compliance also requires written policies, staff training, a breach response plan, and keeping it all current.

What happens if I do not have one?

If you are investigated, the absence of a risk assessment is a serious finding on its own and can significantly increase penalties.

Written by Spartan Tek Solutions, IT and security for small practices.

Have a question? Talk to us