HIPAA Risk Assessment: What It Is And How To Conduct One
If you're building a digital health product, you've probably heard the term thrown around in sales calls with hospital IT teams: what is hipaa risk assessment, and why does everyone act like your deal depends on it? A HIPAA risk assessment is a documented review of where patient data lives in your systems, what could go wrong with it, and what you're doing to stop that. It's not optional paperwork. It's a required component of the HIPAA Security Rule, and health systems will ask for evidence of it before they let your app touch EPIC data.
Skip it, and you're not just exposed to fines. You're stuck at the negotiating table while a competitor with a completed assessment moves straight to contract. The goal here is simple: show you exactly what auditors and covered entities expect to see, and how a proper risk analysis actually gets built.
This article walks through what counts as a valid HIPAA risk assessment, who needs one, and the concrete steps to conduct one yourself, from identifying protected health information (PHI) touchpoints to documenting your safeguards. We'll also cover how vendors integrating with EPIC can fold this work into their broader compliance strategy instead of treating it as a separate, painful project.
Why a HIPAA risk assessment matters
Every covered entity and business associate handling protected health information has to run this exercise, and the requirement doesn't come from some vague best-practice guide. It comes directly from the HIPAA Security Rule, specifically 45 CFR § 164.308(a)(1)(ii)(A), which requires organizations to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability" of electronic PHI. Ignore that requirement and you're not just cutting a corner. You're operating outside the law while telling health systems your product is ready for their patient data.
It's a legal requirement, not a suggestion
The Department of Health and Human Services treats the risk assessment as the foundation for every other Security Rule safeguard you implement. You can't reasonably choose access controls, encryption standards, or audit logging without first knowing where your vulnerabilities sit. HHS publishes detailed guidance on this exact process, and its Office for Civil Rights (OCR) uses that guidance as the baseline when investigating breaches or conducting audits (see the HHS Security Rule guidance). If you can't produce a documented risk analysis when OCR asks for it, you've already lost the argument that you took compliance seriously.
The financial stakes of skipping it
OCR settlements make the cost of skipping this step concrete. Fines scale with how negligent the organization looks, and "we never did a risk assessment" is one of the fastest ways to land in the worst tier.

| Violation category | Annual penalty range (per violation type) |
|---|---|
| Unaware, reasonable diligence | $137 to $68,928 |
| Reasonable cause, not willful neglect | $1,379 to $68,928 |
| Willful neglect, corrected within 30 days | $13,785 to $68,928 |
| Willful neglect, not corrected | $68,928 to $2,067,813 |
These aren't hypothetical numbers. OCR has repeatedly cited the absence of a risk analysis as the primary or contributing factor in multi-million dollar settlements. A missing assessment turns a single incident into evidence of systemic failure.
A missing risk assessment doesn't just cost you a fine, it tells regulators you never looked for the problem in the first place.
Why health systems and EPIC won't skip it either
Health systems carry the liability for every vendor that touches their EHR, so they push the risk assessment requirement downstream to you. Before EPIC will list your app in the Showroom or grant production access, your organization needs to demonstrate that you understand where PHI flows through your systems and how you're protecting it. Hospital procurement and security teams ask for this documentation as a standard part of vendor due diligence, right alongside your BAA and your SOC 2 report. No assessment on file usually means no contract, regardless of how good your product is.
Money aside, the assessment is what keeps you from finding out about a vulnerability the hard way. Digital health vendors often assume their cloud provider or their EHR integration partner has already handled security, but that assumption doesn't hold up under HIPAA. The rule places responsibility for identifying risk squarely on you as the entity handling the data, not on your vendors or infrastructure providers. Skipping the assessment means you're guessing at your exposure instead of measuring it, and guessing is exactly what regulators, auditors, and hospital security teams are trained to catch.
Getting this right early also saves you rework later. Vendors who build their workflow logic, data storage, and access controls before running a risk assessment frequently discover gaps that require re-architecting parts of their product. Running the assessment first, or at least early in development, lets you design safeguards into the system instead of bolting them on after a health system's security review flags a problem. That sequencing difference often separates vendors who close EPIC integrations in weeks from those stuck in review cycles for months.
How to conduct a HIPAA risk assessment
Running a HIPAA risk assessment isn't a mysterious process, but it does require working through a fixed sequence of steps in order. Skip a step or do them out of order, and OCR or a hospital security reviewer will spot the gap immediately. NIST's guidance (Special Publication 800-30) and OCR's own risk analysis guidance both describe the same core process, so you don't need to invent your own framework. You just need to execute it thoroughly.
Map where PHI actually lives
Start by identifying every system, application, and workflow that touches protected health information. This means databases, backup systems, third-party integrations, and even spreadsheets your staff might use informally. For vendors integrating with EPIC, this step includes every point where patient data flows from EPIC into your app and back, plus any place that data gets stored, cached, or logged along the way. Build a full inventory before moving to the next step. You can't assess risk to data you haven't identified.

Identify threats and vulnerabilities
Once you know where PHI sits, list out the realistic threats to it: unauthorized access, lost devices, phishing attacks, insecure APIs, misconfigured cloud storage, and insider misuse. For each threat, identify the vulnerabilities that would let it succeed. A threat without a matching vulnerability isn't much of a risk. A weak API authentication scheme paired with a threat like credential theft, on the other hand, is exactly the kind of pairing auditors expect you to catch.
A risk assessment that skips threat-vulnerability pairing isn't an assessment, it's a checklist with no teeth.
Assess current safeguards and assign risk levels
Document what safeguards you already have in place, then rate the likelihood and impact of each identified risk. Most organizations use a simple high/medium/low scale, though larger vendors sometimes use numeric scoring for more granularity. Here's a simplified way to structure that output:
| Risk | Likelihood | Impact | Current safeguard | Risk level |
|---|---|---|---|---|
| Unencrypted PHI in transit | Medium | High | TLS 1.2 enforced | Medium |
| Weak API authentication | High | High | Basic OAuth, no MFA | High |
| Lost employee laptop | Low | High | Device encryption | Low |
Document, prioritize, and remediate
Finish by writing everything down: the systems inventoried, the threats identified, the risk ratings assigned, and the remediation plan for anything above your acceptable threshold. This document is what you hand to auditors, health system security teams, or the EPIC review process when they ask for proof. A few practical steps to keep the output usable:
- Assign an owner and a deadline to every high-risk finding
- Re-score risks after remediation, don't just mark them closed
- Keep prior versions on file to show progress over time
- Store the document somewhere your compliance and engineering teams can both access
The finished assessment becomes the reference point for every security decision you make afterward, from encryption standards to access control policies.
Types of HIPAA risk assessments you may need
Most people use "HIPAA risk assessment" as a catch-all term, but the requirement actually splits into a few distinct types depending on what you're evaluating and why. Understanding which one applies to your situation keeps you from wasting time on the wrong document, or worse, handing a health system's security team something they didn't ask for.
The Security Rule risk analysis
This is the assessment most people mean when they say HIPAA risk assessment, and it's the one required under 45 CFR § 164.308(a)(1)(ii)(A). It covers electronic PHI specifically: where it's stored, transmitted, and processed, along with the technical, physical, and administrative safeguards protecting it. Every organization handling ePHI needs this one on file, full stop.
Privacy Rule considerations
Separate from the Security Rule analysis, some organizations also run a Privacy Rule assessment that looks at how PHI is used and disclosed, rather than how it's technically secured. This matters more for organizations handling marketing, research, or data-sharing agreements where use and disclosure rules get complicated. Digital health vendors building clinical workflow tools usually spend less time here, but it's worth confirming you're not overlooking a use case, like sharing data with a third-party analytics platform, that triggers Privacy Rule obligations.
Vendor and third-party risk assessments
Business associates don't get a pass just because the covered entity holds the primary relationship with the patient. If your product integrates with subcontractors, cloud hosting providers, or other software vendors, you need a third-party risk assessment covering each of those relationships. Health systems increasingly ask vendors to prove they've assessed their own supply chain, not just their own internal systems.
| Assessment type | Primary focus | Who typically needs it |
|---|---|---|
| Security Rule risk analysis | ePHI confidentiality, integrity, availability | Every covered entity and business associate |
| Privacy Rule assessment | Use and disclosure practices | Organizations with complex data-sharing or research use |
| Vendor/third-party assessment | Subcontractor and supply chain risk | Vendors relying on external hosting or integration partners |
| Application-specific assessment | A single product or integration point | Vendors launching a new EHR-connected app |
Enterprise-wide vs application-specific assessments
Larger organizations often run an enterprise-wide assessment covering every system across the company, then supplement it with narrower, application-specific assessments for individual products. If you're building a single app that connects to EPIC, you likely need the narrower version: an assessment scoped tightly to that integration, its data flows, and its specific safeguards. Trying to force an enterprise-wide framework onto a single-app review usually produces a bloated document that misses the specific risks a hospital security reviewer actually cares about.

The right risk assessment is the one scoped to match what you're actually building, not the biggest template you can find.
NIST's guidance on information security risk assessments (SP 800-30) applies across all these variants, so the underlying methodology doesn't change much between types. What changes is scope, and getting that scope right the first time saves you from redoing the work when a health system's procurement team asks a question your assessment never addressed.
Who is responsible for the assessment
Every organization handling protected health information owns its own risk assessment. That responsibility doesn't transfer to a vendor, a cloud provider, or a consultant just because they touched part of the system. HIPAA places the legal obligation on the covered entity or business associate itself, meaning your leadership team is the one who signs off on the finished document and answers for it if OCR comes asking.
Covered entities and business associates share the obligation
Health systems, as covered entities, must assess risk across their own infrastructure, but that doesn't let their vendors off the hook. If you're a digital health company integrating with EPIC, you're almost certainly a business associate, and the Security Rule requires you to run your own risk analysis covering the systems you control. Hospitals will often ask to see your assessment as part of vendor onboarding, precisely because your risk becomes their risk the moment your app touches patient data. Assuming the hospital's assessment covers your product is a common and costly mistake.
The role of your security officer and leadership
Day-to-day ownership usually falls to whoever holds the HIPAA Security Officer title, a role every covered entity and business associate must designate under 45 CFR § 164.308(a)(2). That person doesn't need to personally write every line of the assessment, but they need to coordinate it, sign off on the final version, and make sure findings actually get remediated rather than filed away. In smaller digital health companies, this person is often the CTO, head of compliance, or founder wearing multiple hats.
The person who signs the risk assessment is the person who answers for it, so make sure that person has real authority to fix what it finds.
A workable ownership structure usually looks like this:
- Security Officer or compliance lead: owns the process, signs the final document
- Engineering leadership: provides accurate system and data flow information
- Executive sponsor: allocates budget and time for remediation
- Outside counsel or consultant (optional): reviews methodology and legal exposure
Can you outsource the assessment?
You can bring in outside help to conduct the technical work, and many vendors do, especially smaller teams without a dedicated security staff. Consultants, managed compliance platforms, and specialized auditors can run the assessment, document findings, and even recommend remediation steps. What you can't outsource is accountability. If OCR investigates a breach, they'll ask your organization for the risk assessment, not your consultant's business card. That means whoever you hire needs to produce a document your own team understands well enough to defend, update, and act on independently.
Vendors building EPIC integrations often find it easier to fold this responsibility into a platform that already builds compliance into the workflow, rather than treating the risk assessment as a bolt-on project handled once and forgotten. Either way, someone inside your organization has to own the outcome, know where the gaps sit, and be ready to answer for them when a health system or regulator asks.
Common mistakes that undermine your assessment
Even organizations that genuinely try to comply with HIPAA end up with assessments that fall apart under scrutiny. The mistakes aren't usually about laziness. They're about misunderstanding what OCR and hospital security teams actually expect to see. Knowing where these traps sit lets you sidestep them before they cost you a contract or a fine.
Treating a checklist as an assessment
Vendors often buy a generic HIPAA compliance checklist, run through it in an afternoon, and call it a risk assessment. OCR guidance explicitly rejects this approach, because a checklist tells you whether a control exists, not whether it actually reduces risk in your specific environment. A real risk analysis pairs threats with vulnerabilities and rates the likelihood and impact of each, which a generic checklist never does. If your document doesn't include that pairing, it won't survive an audit.
A checklist tells you what boxes exist. A risk assessment tells you what happens if they're empty.
Scoping the assessment too narrowly
Some teams assess only their production database and skip backups, logs, third-party integrations, or the laptops their support staff use to troubleshoot patient issues. Incomplete scope is one of the most common findings OCR cites in settlement agreements, because breaches rarely happen in the systems everyone remembers to check. If you're integrating with EPIC, this mistake shows up when vendors assess their own app but forget the data that gets cached, logged, or exported along the way.
Skipping remediation follow-through
Writing down a risk is only half the job. Plenty of assessments identify a high-risk finding, like weak API authentication, and then never track whether anyone fixed it. Without a documented remediation plan and a re-score after the fix, your assessment becomes a historical snapshot instead of a living compliance tool. Auditors notice when the same finding appears unresolved across multiple years.
Letting one person do it in isolation
A risk assessment written entirely by one engineer, with no input from leadership or compliance, tends to miss administrative and physical safeguards entirely. It also creates a document nobody else in the organization can defend if that person leaves. Effective assessments pull input from multiple roles:
- Engineering: system architecture and data flow accuracy
- Compliance or legal: regulatory interpretation and documentation standards
- Leadership: budget and prioritization for remediation
- IT operations: physical and device-level safeguards
Copying last year's document
Organizations that reuse a prior assessment word for word, updating only the date, are treating a living compliance requirement like a formality. Systems change, new integrations get added, and new threats emerge constantly. HHS expects the assessment to reflect your current environment, not a snapshot from two years ago that predates half your current tech stack. A stale document is almost as risky as no document at all, because it gives you false confidence that your safeguards match your actual exposure.
How often to update your risk assessment
HIPAA doesn't specify a fixed schedule, no annual date stamped in the regulation that tells you exactly when to run the next assessment. That ambiguity trips up a lot of vendors who assume once a year covers them. HHS guidance frames the requirement around change, not calendar dates: if something material shifts in how you handle PHI, you need to revisit the assessment regardless of when you last did one. Waiting for an annual reminder while your systems change underneath you is exactly the gap OCR looks for after a breach.
Trigger events that demand an immediate update
Certain events should push you to update your assessment right away, no matter where you are in your normal cycle. Think of these as forcing functions rather than optional check-ins.
- Launching a new product feature that touches PHI
- Adding a new EPIC integration point or expanding data access scope
- Switching cloud providers or hosting infrastructure
- Experiencing a security incident or near-miss, even a minor one
- Bringing on a new subcontractor or vendor with access to patient data
- Significant staff turnover in engineering or security roles
Any one of these changes your risk profile enough that your last assessment no longer reflects reality. A vendor that adds a new data export feature without revisiting the assessment is, in effect, operating on a document that describes a system that no longer exists.
The moment your systems change, your last risk assessment describes a company that no longer exists.
A reasonable baseline cadence
Even without trigger events, most compliance-minded organizations run a full risk assessment annually and treat that as the floor, not the ceiling. Some larger organizations with more complex data flows run a lighter review quarterly, checking for new systems or overlooked data paths, and reserve the deep, full-scope assessment for once a year. For a digital health vendor with a single EPIC integration, annual usually works, provided you're disciplined about updating between cycles when something material changes.
| Organization type | Suggested baseline | Trigger-based updates |
|---|---|---|
| Single-product vendor, one EPIC integration | Annual full assessment | After any system or scope change |
| Multi-product vendor, several integrations | Annual full, quarterly light review | After any new integration or vendor |
| Enterprise health system | Annual full, ongoing monitoring | Continuous, tied to change management |
Building the update into your workflow
The vendors who handle this well don't treat the risk assessment as a standalone project that resurfaces once a year out of nowhere. They build a trigger into their change management process, so that any engineering ticket touching data flow, authentication, or third-party access automatically flags a review of the existing assessment. That habit costs almost nothing compared to discovering, mid-audit, that your documentation is eighteen months out of date and missing half your current architecture. Health systems reviewing your vendor file will ask when your assessment was last updated, and "whenever we remembered" is not an answer that keeps a contract moving forward.
Tools that can support your risk assessment
You don't have to build your risk assessment from a blank document. A handful of established tools and frameworks exist specifically to structure the process, and using one signals to auditors and health system security teams that you followed a recognized methodology instead of inventing your own.
Free government and framework resources
The Office for Civil Rights offers a Security Risk Assessment (SRA) Tool built for smaller organizations that don't have dedicated compliance software. It walks you through the same threat, vulnerability, and safeguard categories OCR expects to see, and it's free to download from HHS. NIST's Special Publication 800-30 provides the underlying risk methodology most of these tools rely on, so pairing the SRA Tool with a quick read of the NIST guidance gives you a defensible framework without spending a dollar. For a digital health startup running its first assessment, this combination covers the basics well.
A free government tool, used properly, beats an expensive platform used carelessly.
Commercial GRC and compliance platforms
Once your organization grows past a handful of systems, spreadsheet-based tracking gets unwieldy fast. Governance, risk, and compliance (GRC) platforms centralize your risk register, automate reminders for reassessment, and generate audit-ready reports. These tools typically include:
- A centralized risk register with likelihood and impact scoring
- Automated workflows for remediation tracking and ownership
- Pre-built templates mapped to HIPAA, SOC 2, and other frameworks
- Audit trail features that show when the assessment was last updated
Commercial platforms cost money, usually a monthly subscription plus setup time, but they save real hours once you're managing multiple integrations or a growing engineering team touching PHI.
Where a no-code integration platform fits in
If your risk exposure is concentrated in a single EPIC integration, the tooling question shifts. A generic GRC platform still requires you to manually map data flows, authentication methods, and storage points inside your own custom-built app. A platform like VectorCare removes a chunk of that mapping work by standardizing how PHI moves through the integration in the first place: pre-built FHIR actions, managed hosting, and HIPAA-aligned infrastructure mean fewer unknown variables to assess. That doesn't eliminate the need for your own risk assessment, since you still own that legal obligation, but it narrows the scope considerably compared to a fully custom build.
| Tool category | Best for | Cost | Ongoing maintenance |
|---|---|---|---|
| HHS SRA Tool | First assessment, small teams | Free | Manual updates |
| GRC platforms | Multi-product vendors, growing teams | Subscription | Mostly automated |
| No-code EHR integration platform | Vendors with EPIC-specific data flows | Flat monthly fee | Managed by provider |
Whichever tool you choose, treat it as support for your judgment, not a replacement for it. Software can organize your findings, but someone on your team still has to interpret the risk, decide what's acceptable, and sign off on the remediation plan.
What a completed risk assessment looks like
Opening a finished HIPAA risk assessment for the first time, most people expect a single spreadsheet. What they actually find is a structured document, usually running 15 to 40 pages depending on scope, that reads like a technical report rather than a form. It combines narrative explanation with data tables, and it's built so someone outside your engineering team, a hospital security reviewer or an OCR investigator, can follow your reasoning without needing you in the room to explain it.

The core sections every finished document includes
Regardless of who writes it, a complete assessment covers the same ground. Missing sections are one of the fastest ways a reviewer flags your document as incomplete:
- An executive summary stating scope, methodology, and date completed
- A full system and data inventory, including third-party integrations
- A threat and vulnerability list mapped to each system
- Risk ratings with likelihood, impact, and current safeguards
- A remediation plan with owners and deadlines for anything above threshold
- Sign-off from your Security Officer or designated leadership
What a real entry looks like
Generic templates rarely show what a finished row actually contains. Here's a realistic example pulled from a single-app EPIC integration review:
| Field | Example entry |
|---|---|
| System | Patient intake form, EPIC-connected |
| Data type | PHI: name, DOB, insurance ID |
| Threat | Unauthorized access via stolen credentials |
| Vulnerability | No multi-factor authentication on admin accounts |
| Likelihood | Medium |
| Impact | High |
| Current safeguard | Password policy, no MFA |
| Risk level | High |
| Remediation | Enable MFA, owner: engineering lead, due: 30 days |
Multiply that row by every system, threat, and vulnerability pairing you identified, and you have the working core of the assessment.
A finished risk assessment reads less like a form and more like a technical audit someone could hand to a stranger and have them understand your exposure in ten minutes.
Sign-off and version control
Hospital security teams and auditors both check the same detail: a dated signature from your Security Officer or accountable executive, plus a version history showing when the document was last revised and why. A finished assessment that lacks a signature reads as a draft, not a compliance artifact, no matter how thorough the analysis underneath it looks.
What it looks like when it's actually usable
Beyond the paperwork itself, a genuinely finished assessment gets referenced constantly. Engineering teams pull from it when scoping new features. Compliance teams hand it to health system procurement without editing it first. If your document sits untouched in a shared drive between annual reviews, it's not finished, it's filed. The difference between the two is whether it's still shaping decisions six months after you wrote it.

Moving from assessment to action
A HIPAA risk assessment only earns its value once it changes what you build. You now know what the term means, why regulators and health systems both demand it, and how to run one without turning it into a stalled side project. The document itself isn't the finish line. It's the starting point for every access control, encryption decision, and vendor agreement you make afterward.
If you're building toward an EPIC integration, the assessment gets a lot easier when your underlying architecture doesn't introduce unknowns every time you add a feature. That's exactly where a no-code platform built around standardized, HIPAA-aligned FHIR workflows narrows your scope instead of expanding it. Fewer custom variables means fewer things to assess, document, and defend later.
If you'd rather spend your engineering time on your product than on mapping data flows for auditors, see how VectorCare can get your app EPIC-ready in weeks.
The Future of Patient Logistics
Exploring the future of all things related to patient logistics, technology and how AI is going to re-shape the way we deliver care.