HIPAA SECURITY RISK ASSESSMENT

SECURITY RULE RISK ANALYSIS DOCUMENTATION

ORGANIZATION INFORMATION

Organization Name: [________________________________]

Address: [________________________________]

City, State, ZIP: [________________________________]

Organization Type:
☐ Healthcare Provider
☐ Health Plan
☐ Healthcare Clearinghouse
☐ Business Associate

NPI (if applicable): [________________________________]

ASSESSMENT INFORMATION

Assessment Date: [__/__/____]

Assessment Period Covered: [__/__/____] to [__/__/____]

Assessment Type:
☐ Initial Assessment
☐ Periodic Assessment
☐ Post-Incident Assessment
☐ Pre-Implementation Assessment
☐ Other: [________________________________]

Assessment Team:

Security Officer: [________________________________]

Contact Information: [________________________________]

SECTION 1: EXECUTIVE SUMMARY

1.1 Purpose

This Security Risk Assessment is conducted in accordance with the HIPAA Security Rule requirement at 45 CFR § 164.308(a)(1)(ii)(A) to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the organization.

1.2 Scope

This assessment covers:

☐ All electronic protected health information (ePHI) created, received, maintained, or transmitted by the organization
☐ All information systems that contain, process, or transmit ePHI
☐ All physical locations where ePHI is accessed or stored
☐ All workforce members with access to ePHI
☐ All business associates that create, receive, maintain, or transmit ePHI on behalf of the organization

1.3 Assessment Summary

Total Number of Risks Identified: [____]

Risk Distribution:

Key Findings:

[________________________________]

[________________________________]

[________________________________]

SECTION 2: ePHI INVENTORY

2.1 ePHI Data Types

Identify all types of ePHI created, received, maintained, or transmitted:

☐ Patient demographics
☐ Medical records
☐ Treatment information
☐ Prescription records
☐ Laboratory results
☐ Imaging/radiology records
☐ Billing and claims information
☐ Insurance information
☐ Appointment schedules
☐ Communications (emails, messages)
☐ Other: [________________________________]

2.2 ePHI Data Flow

How ePHI Enters the Organization:

How ePHI Flows Within the Organization:

[________________________________]

[________________________________]

How ePHI Leaves the Organization:

2.3 Systems Containing ePHI

2.4 Physical Locations

SECTION 3: THREAT AND VULNERABILITY IDENTIFICATION

3.1 Threat Sources

Natural Threats:
☐ Floods
☐ Earthquakes
☐ Tornadoes/Hurricanes
☐ Fire
☐ Power failures
☐ Other: [________________________________]

Human Threats (Intentional):
☐ Hackers/Cybercriminals
☐ Malicious insiders
☐ Terrorists
☐ Competitors
☐ Nation-state actors
☐ Social engineers
☐ Other: [________________________________]

Human Threats (Unintentional):
☐ Careless employees
☐ Untrained staff
☐ Third-party contractors
☐ Other: [________________________________]

Environmental Threats:
☐ HVAC failures
☐ Water damage
☐ Structural failures
☐ Hazardous material release
☐ Other: [________________________________]

3.2 Vulnerability Categories

Administrative Vulnerabilities:
☐ Lack of security policies
☐ Inadequate training
☐ No incident response plan
☐ Poor access management
☐ Lack of risk management
☐ Insufficient audit procedures
☐ Other: [________________________________]

Physical Vulnerabilities:
☐ Inadequate facility access controls
☐ Unsecured workstations
☐ Lack of visitor controls
☐ Poor disposal practices
☐ Inadequate environmental controls
☐ Other: [________________________________]

Technical Vulnerabilities:
☐ Unpatched systems
☐ Weak passwords
☐ Lack of encryption
☐ Inadequate access controls
☐ No intrusion detection
☐ Insufficient logging
☐ Vulnerable network architecture
☐ Other: [________________________________]

SECTION 4: ADMINISTRATIVE SAFEGUARDS ASSESSMENT

4.1 Security Management Process (§ 164.308(a)(1))

Risk Analysis - 45 CFR § 164.308(a)(1)(ii)(A) [REQUIRED]

Risk Management - 45 CFR § 164.308(a)(1)(ii)(B) [REQUIRED]

Sanction Policy - 45 CFR § 164.308(a)(1)(ii)(C) [REQUIRED]

Information System Activity Review - 45 CFR § 164.308(a)(1)(ii)(D) [REQUIRED]

4.2 Assigned Security Responsibility (§ 164.308(a)(2)) [REQUIRED]

Security Official Name: [________________________________]

4.3 Workforce Security (§ 164.308(a)(3))

Authorization and/or Supervision - 45 CFR § 164.308(a)(3)(ii)(A) [ADDRESSABLE]

Workforce Clearance Procedure - 45 CFR § 164.308(a)(3)(ii)(B) [ADDRESSABLE]

Termination Procedures - 45 CFR § 164.308(a)(3)(ii)(C) [ADDRESSABLE]

4.4 Information Access Management (§ 164.308(a)(4))

Isolating Healthcare Clearinghouse Functions - 45 CFR § 164.308(a)(4)(ii)(A) [REQUIRED]

Access Authorization - 45 CFR § 164.308(a)(4)(ii)(B) [ADDRESSABLE]

Access Establishment and Modification - 45 CFR § 164.308(a)(4)(ii)(C) [ADDRESSABLE]

4.5 Security Awareness and Training (§ 164.308(a)(5))

Security Reminders - 45 CFR § 164.308(a)(5)(ii)(A) [ADDRESSABLE]

Protection from Malicious Software - 45 CFR § 164.308(a)(5)(ii)(B) [ADDRESSABLE]

Log-in Monitoring - 45 CFR § 164.308(a)(5)(ii)(C) [ADDRESSABLE]

Password Management - 45 CFR § 164.308(a)(5)(ii)(D) [ADDRESSABLE]

4.6 Security Incident Procedures (§ 164.308(a)(6))

Response and Reporting - 45 CFR § 164.308(a)(6)(ii) [REQUIRED]

4.7 Contingency Plan (§ 164.308(a)(7))

Data Backup Plan - 45 CFR § 164.308(a)(7)(ii)(A) [REQUIRED]

Disaster Recovery Plan - 45 CFR § 164.308(a)(7)(ii)(B) [REQUIRED]

Emergency Mode Operation Plan - 45 CFR § 164.308(a)(7)(ii)(C) [REQUIRED]

Testing and Revision Procedures - 45 CFR § 164.308(a)(7)(ii)(D) [ADDRESSABLE]

Applications and Data Criticality Analysis - 45 CFR § 164.308(a)(7)(ii)(E) [ADDRESSABLE]

4.8 Evaluation (§ 164.308(a)(8)) [REQUIRED]

SECTION 5: PHYSICAL SAFEGUARDS ASSESSMENT

5.1 Facility Access Controls (§ 164.310(a)(1))

Contingency Operations - 45 CFR § 164.310(a)(2)(i) [ADDRESSABLE]

Facility Security Plan - 45 CFR § 164.310(a)(2)(ii) [ADDRESSABLE]

Access Control and Validation Procedures - 45 CFR § 164.310(a)(2)(iii) [ADDRESSABLE]

Maintenance Records - 45 CFR § 164.310(a)(2)(iv) [ADDRESSABLE]

5.2 Workstation Use (§ 164.310(b)) [REQUIRED]

5.3 Workstation Security (§ 164.310(c)) [REQUIRED]

5.4 Device and Media Controls (§ 164.310(d)(1))

Disposal - 45 CFR § 164.310(d)(2)(i) [REQUIRED]

Media Re-Use - 45 CFR § 164.310(d)(2)(ii) [REQUIRED]

Accountability - 45 CFR § 164.310(d)(2)(iii) [ADDRESSABLE]

Data Backup and Storage - 45 CFR § 164.310(d)(2)(iv) [ADDRESSABLE]

SECTION 6: TECHNICAL SAFEGUARDS ASSESSMENT

6.1 Access Control (§ 164.312(a)(1))

Unique User Identification - 45 CFR § 164.312(a)(2)(i) [REQUIRED]

Emergency Access Procedure - 45 CFR § 164.312(a)(2)(ii) [REQUIRED]

Automatic Logoff - 45 CFR § 164.312(a)(2)(iii) [ADDRESSABLE]

Encryption and Decryption - 45 CFR § 164.312(a)(2)(iv) [ADDRESSABLE]

6.2 Audit Controls (§ 164.312(b)) [REQUIRED]

6.3 Integrity (§ 164.312(c)(1))

Mechanism to Authenticate ePHI - 45 CFR § 164.312(c)(2) [ADDRESSABLE]

6.4 Person or Entity Authentication (§ 164.312(d)) [REQUIRED]

6.5 Transmission Security (§ 164.312(e)(1))

Integrity Controls - 45 CFR § 164.312(e)(2)(i) [ADDRESSABLE]

Encryption - 45 CFR § 164.312(e)(2)(ii) [ADDRESSABLE]

SECTION 7: RISK ASSESSMENT MATRIX

7.1 Risk Scoring Methodology

Likelihood Scale:

Impact Scale:

Risk Level Matrix:

7.2 Identified Risks

SECTION 8: RISK MANAGEMENT PLAN

8.1 Risk Response Options

For each identified risk, document the selected response:

☐ Mitigate - Implement controls to reduce risk
☐ Accept - Accept the risk with management approval
☐ Transfer - Transfer risk through insurance or contracts
☐ Avoid - Eliminate the risk by removing the source

8.2 Risk Treatment Plan

SECTION 9: APPROVAL AND CERTIFICATION

Assessment Certification

I certify that this Security Risk Assessment has been conducted in accordance with 45 CFR § 164.308(a)(1)(ii)(A) and represents an accurate and thorough assessment of potential risks and vulnerabilities to ePHI.

Assessed by:

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Signature: [________________________________]

Reviewed by:

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Signature: [________________________________]

Approved by:

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Signature: [________________________________]

SECTION 10: NEXT STEPS

☐ Review and approve risk management plan
☐ Implement high-priority risk mitigation measures
☐ Update policies and procedures as needed
☐ Conduct workforce training
☐ Schedule follow-up assessment
☐ Document residual risks

Next Assessment Date: [__/__/____]

SOURCES AND REFERENCES

• HHS Guidance on Risk Analysis
• 45 CFR § 164.308 - Administrative safeguards
• eCFR Part 164 Subpart C - Security Standards
• HIPAA Journal - HIPAA Risk Assessment
• HHS Security Series - Administrative Safeguards