A HIPAA risk assessment, formally called a security risk analysis, is a required evaluation of the threats and vulnerabilities to electronic protected health information (ePHI) within your organization. It’s required under the HIPAA Security Rule’s Security Management Process standard, which mandates an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. If you’re a covered entity or a business associate that touches ePHI in any way, this isn’t optional — and it’s the requirement HHS’ Office for Civil Rights reports organizations struggle with most. Techrepair DFW
What a HIPAA Risk Assessment Actually Is
The requirement comes directly from federal regulation, not industry best practice. It originates in 45 CFR § 164.308, the Security Management Process standard within the HIPAA Security Rule. The objective, as outlined in the General Rules at 45 CFR § 164.306, is to ensure the confidentiality, integrity, and availability of all electronic PHI an organization creates, receives, maintains, or transmits, and to protect against reasonably anticipated threats, hazards, and impermissible uses or disclosures.
In practice, that means systematically identifying: where ePHI lives across your systems, what could threaten its confidentiality or integrity, how likely each threat is, and what safeguards are already in place versus what’s missing.
There’s a second, related requirement worth knowing about: the HIPAA Breach Notification Rule, at 45 CFR § 164.402, also requires a risk assessment, but only after an impermissible acquisition, access, use, or disclosure of unsecured PHI, to determine whether the event must be reported to HHS and affected individuals. That’s a different, narrower assessment than the proactive annual risk analysis this post is about, don’t confuse the two.
What It’s Not
A HIPAA risk assessment is not a one-time project you complete and file away. It’s not a generic security questionnaire. And it’s not the same thing as HIPAA “certification”, there is no such thing as official HIPAA certification issued by HHS. Anyone claiming to “certify” you as HIPAA compliant is using marketing language, not a real designation.
It’s also not optional based on company size. Small practices, large hospital systems, and the software vendors and contractors who handle PHI on their behalf — business associates — all carry the same underlying obligation.
Who Actually Needs One
Two categories are covered:
- Covered entities — healthcare providers, health plans, and healthcare clearinghouses that create or transmit PHI directly.
- Business associates — any vendor, contractor, or software platform that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This is the category that catches a lot of health-tech SaaS companies off guard. If your platform stores or processes patient data for a healthcare client, you’re very likely a business associate under HIPAA, regardless of whether you think of yourself as a “healthcare company.”
Why This Is More Urgent Right Now Than It’s Been in a Decade
This requirement isn’t new, but the stakes around it are shifting. HHS proposed sweeping changes to the HIPAA Security Rule in December 2025, the first major update to HIPAA security standards since 2013. The proposed changes include mandatory encryption of all ePHI at rest and in transit, required multi-factor authentication for ePHI access, 72-hour incident notification to HHS, annual penetration testing, and vulnerability scanning every six months.
Importantly: as of June 2026, no final rule has been issued. The proposed rule was published in the Federal Register on January 6, 2025, with the public comment period closing March 7, 2025, but OCR has not yet finalized it. OCR continues to enforce the current Security Rule, under which risk analysis remains the most frequently cited deficiency in OCR investigations.
The practical guidance here matters: don’t try to implement every proposed change simultaneously, that’s a path to incomplete implementation and burned-out staff. Prioritize based on risk: start with your risk assessment, since it identifies everything else you need to do, then address encryption and MFA as the highest-impact technical controls. Whatever shape the final rule takes, your risk assessment is the document that tells you where you actually stand against it.
What Happens If You Don’t Have One — Or It’s Outdated
Organizations that fail to comply with the HIPAA Security Rule can be fined by HHS’ Office for Civil Rights and state attorneys general, and that outcome is more likely in the absence of a thorough risk assessment. Noncompliant organizations can also face civil claims from affected individuals, using HIPAA’s expected duty of care to support negligence or breach-of-contract claims.
In other words, the risk assessment isn’t just a compliance artifact, it’s frequently the deciding factor in how an enforcement action or a lawsuit gets resolved, because it demonstrates whether you took the obligation seriously before something went wrong.
What a Properly Run Risk Assessment Should Produce
A real risk assessment isn’t a checkbox exercise. It should produce: a documented inventory of where ePHI lives across your systems, an honest evaluation of threats and current safeguards, a prioritized list of gaps, and a remediation plan with realistic timelines, not just a PDF that proves you “did something” if HHS ever asks.
If you handle PHI, directly or as a business associate, and your last risk assessment is more than a year old (or doesn’t exist), now is the time to fix that. → Talk to Our HIPAA Team
FAQ SECTION
Q: Is a HIPAA risk assessment legally required?
A: Yes. The HIPAA Security Rule’s Security Management Process standard (45 CFR § 164.308) requires covered entities and business associates to conduct an accurate and thorough assessment of risks and vulnerabilities to ePHI. It’s not optional or industry best practice — it’s a federal regulatory requirement.
Q: How often do I need to do a HIPAA risk assessment?
A: There’s no fixed federal interval specified in the current rule, but annual reassessment — and reassessment after any major environmental or system change — is standard practice and is explicitly recommended under proposed updates to the rule.
Q: Does HIPAA certification exist?
A: No. There is no official HIPAA certification issued by HHS. Any vendor claiming to “certify” your organization as HIPAA compliant is using marketing language — what actually exists is a documented risk assessment and a demonstrated compliance program.
Q: Do software vendors need a HIPAA risk assessment if they’re not a healthcare company?
A: Yes, if they qualify as a business associate — meaning they create, receive, maintain, or transmit PHI on behalf of a covered entity. Many health-tech SaaS platforms fall into this category without realizing it.
Q: What’s changing with the HIPAA Security Rule in 2026?
A: As of June 2026, HHS has proposed but not finalized sweeping changes, including mandatory encryption, required MFA, 72-hour breach notification to HHS, annual penetration testing, and twice-yearly vulnerability scanning. The current rule remains in effect and enforced until a final rule is issued.
Q: What happens if my risk assessment is outdated or missing?
A: You become more exposed to fines from HHS’ Office for Civil Rights and state attorneys general, and to civil claims from affected individuals in the event of a breach or audit — since the absence of a thorough risk assessment is itself treated as a compliance failure.
