HIPAA Security Risk Assessment Checklist:
Complete 2026 Guide

The HIPAA Security Rule (45 CFR Part 164) requires covered entities and business associates to conduct a thorough risk analysis of their electronic protected health information (ePHI) environment. Failure to conduct an accurate and thorough Security Risk Analysis (SRA) under §164.308(a)(1)(ii)(A) is consistently the most-cited HIPAA violation in HHS Office for Civil Rights (OCR) enforcement actions and audits. In 2026, with healthcare cyberattacks continuing at record levels and OCR investigation volumes increasing, a documented and repeatable risk assessment process is essential.

HIPAA Security Rule: The Three Safeguard Categories

The HIPAA Security Rule organizes requirements across three categories of safeguards, each with required and addressable implementation specifications.

Administrative Safeguards (§164.308)

Administrative safeguards are the policies, procedures, and processes organizations must implement to manage the selection, development, implementation, and maintenance of security measures. The Security Risk Analysis is an administrative safeguard requirement. Other key administrative requirements include a Risk Management Plan (documenting how identified risks will be reduced to a reasonable level), a Security Officer designation, workforce training, access management procedures, and a contingency plan covering data backup, disaster recovery, emergency mode operations, and testing.

Physical Safeguards (§164.310)

Physical safeguards address physical access controls for facilities and equipment containing ePHI. This includes facility access controls with documented policies for who can access areas where ePHI is stored or processed, workstation use policies defining proper use of workstations with access to ePHI, workstation security ensuring screens face away from unauthorized viewers and sessions lock automatically, and device and media controls covering the movement, disposal, and re-use of equipment and media containing ePHI.

Technical Safeguards (§164.312)

Technical safeguards govern the technology and the policies governing its use that protect ePHI. Access control requirements include unique user identification for all users, emergency access procedures, automatic logoff from ePHI systems, and — as an addressable specification — encryption of ePHI at rest. Audit controls require hardware, software, and procedural mechanisms that record and examine access and activity in information systems containing ePHI. Integrity controls protect ePHI from improper alteration or destruction. Transmission security requires encryption of ePHI transmitted over open networks.

What Must a HIPAA Security Risk Analysis Include?

OCR has published guidance stating that an adequate risk analysis must at minimum: (1) identify the scope of ePHI held by the organization, (2) identify and document the reasonably anticipated threats to ePHI, (3) assess the likelihood and impact of each threat, (4) document the results and use them to inform a risk management plan, and (5) be reviewed and updated on a periodic basis and when operations or the environment change.

A common mistake is to perform a gap assessment against the Security Rule specifications without first conducting a threat and vulnerability analysis. The Security Rule requires a risk-based approach, not just a control checklist. You must identify what threats exist to your specific ePHI environment before determining which controls are appropriate.

Business Associate Agreements (BAAs): A Common Gap

Covered entities must have a signed Business Associate Agreement (BAA) with every business associate that creates, receives, maintains, or transmits ePHI on their behalf. A business associate is any vendor, contractor, or third party that touches ePHI — including cloud storage providers, IT support firms, billing services, and healthcare software platforms.

BAA gaps are among the most frequently cited HIPAA violations. Organizations often have undocumented business associates, outdated BAA templates that do not address current regulatory requirements, or BAAs that have lapsed when vendor relationships continued past their original contract period. A comprehensive ePHI vendor inventory that maps every third-party touchpoint to a current, signed BAA is essential.

Most Common HIPAA Security Rule Gaps

• No documented Security Risk Analysis: The SRA either does not exist or has not been updated when systems, processes, or the threat environment changed.
• Risk Management Plan not implemented: Even organizations that complete an SRA often fail to document how identified risks will be mitigated, creating a compliance gap at §164.308(a)(1)(ii)(B).
• Unencrypted ePHI on portable devices: Laptops, USB drives, and mobile devices containing ePHI without encryption are responsible for the majority of HIPAA breach notifications.
• BAAs missing or outdated: Third-party vendors handling ePHI without a current, compliant BAA represent both a legal violation and a significant breach risk.
• No automatic logoff on ePHI workstations: Workstations in clinical areas often remain logged in indefinitely, enabling unauthorized access.
• Workforce training not documented: Annual security awareness training must be documented with attendance records. Verbal briefings with no records do not satisfy the requirement.
• Contingency plan not tested: Many organizations have contingency plans that have never been tested. OCR expects evidence of testing and results documentation.

HIPAA Security Risk Assessment Checklist: 10 Key Items

Healthcare OT/ICS and HIPAA

Modern healthcare facilities rely on a wide range of networked devices and systems that may create, receive, maintain, or transmit ePHI — including building management systems (BMS) that control HVAC in server rooms, medical gas systems with digital monitoring, infusion pumps, imaging systems, and laboratory equipment. These operational technology (OT) assets are often overlooked in HIPAA Security Risk Analyses, yet many of them handle or have network adjacency to ePHI.

A comprehensive HIPAA SRA in a hospital or health system must include an OT/ICS asset inventory, network segmentation assessment between clinical and operational systems, and evaluation of ePHI flows through networked medical devices. Tabletop exercises that simulate a ransomware attack affecting both IT and clinical systems — triggering simultaneously a HIPAA breach determination and clinical contingency protocols — provide the most realistic validation of healthcare cybersecurity preparedness.

Preparing for OCR Audits and Enforcement

OCR's audit protocol is publicly available and provides a specific checklist of evidence OCR will request during an investigation. Organizations that maintain current documentation — a recent SRA, a Risk Management Plan with documented progress, training records, BAA inventory, and contingency plan test results — are significantly better positioned to respond to an OCR audit or post-breach investigation.

The key principle underlying OCR's approach is that HIPAA compliance is an ongoing process, not a point-in-time certification. Organizations that can demonstrate a continuous security management program — regular risk analysis, annual workforce training, periodic contingency plan testing, and proactive gap remediation — are treated more favorably in enforcement actions than those that can only show a single SRA from several years prior.