Key Takeaways:
- HIPAA requires every covered entity and business associate to conduct a security risk assessment — it is not optional. The 2026 Security Rule adds continuous monitoring requirements on top of periodic formal assessments.
- This template follows the HHS/OCR methodology and covers asset inventory, threat identification, vulnerability assessment, risk scoring, and remediation planning.
- The downloadable Excel template includes built-in scoring formulas, prioritization logic, and remediation tracking columns — ready to use out of the box.
- Organizations that skip or shortcut risk assessments face the highest enforcement penalties. OCR has cited inadequate risk assessment as the #1 finding in HIPAA investigations.
Why Risk Assessment Is Required
The HIPAA Security Rule (§ 164.308(a)(1)) requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This is not a suggestion — it is the foundational requirement upon which every other HIPAA safeguard is built.
OCR has consistently identified inadequate or missing risk assessments as the most common finding in HIPAA enforcement actions. In settlement after settlement, the investigation reveals either no risk assessment was conducted, the risk assessment was incomplete (missing systems, data flows, or threat categories), the risk assessment was conducted once but never updated, or identified risks were documented but never remediated.
The 2026 Security Rule update reinforces this by requiring continuous monitoring to supplement formal periodic assessments. Annual risk assessments remain the baseline, but organizations must also implement ongoing vulnerability scanning, intrusion detection, and risk indicator monitoring between formal assessments.
For complete HIPAA compliance context, see our HIPAA compliance guide for software development.
What This Template Covers
The template is structured around the HHS/OCR risk assessment methodology and covers every step required for a compliant assessment.
Asset Inventory
Identify and document every system, application, device, and data store that creates, receives, stores, or transmits ePHI. The template includes columns for asset name and description, asset type (application, server, database, device, cloud service, network component), ePHI data types handled, data volume classification, asset owner, and location (on-premises, cloud, hybrid, mobile).
Threat Identification
For each asset, identify potential threats. The template provides a pre-populated threat library covering natural threats (fire, flood, power outage, natural disaster), human threats — intentional (hacking, malware, ransomware, insider theft, social engineering, phishing), human threats — unintentional (accidental deletion, misconfiguration, lost devices, misdirected communications), and environmental threats (hardware failure, software bugs, network outages, power surges).
Vulnerability Assessment
For each threat-asset combination, identify existing vulnerabilities that could be exploited. The template prompts assessment of access control weaknesses, encryption gaps, audit logging deficiencies, patch management delays, training gaps, physical security weaknesses, and backup and recovery deficiencies.
Current Controls Assessment
Document what safeguards are already in place for each vulnerability. This is critical — the risk score reflects residual risk after existing controls, not raw risk. The template tracks control type (preventive, detective, corrective), control implementation status (implemented, partial, planned, none), and control effectiveness (high, medium, low).
Risk Scoring
The template calculates risk using a standard likelihood × impact matrix.
Likelihood scale (1–5): 1 = Rare (unlikely to occur in any given year) 2 = Unlikely (could occur but not expected) 3 = Possible (reasonable chance of occurring) 4 = Likely (expected to occur) 5 = Almost certain (will occur without intervention)
Impact scale (1–5): 1 = Negligible (minimal impact on operations or patients) 2 = Minor (limited impact, easily contained) 3 = Moderate (significant operational disruption or limited PHI exposure) 4 = Major (serious PHI breach, significant financial or reputational impact) 5 = Critical (catastrophic PHI breach, regulatory action, patient harm)
Risk score = Likelihood × Impact
Risk Score | Level | Action Required |
1–4 | Low | Monitor — accept or address in normal operations |
5–9 | Medium | Mitigate — plan remediation within 6 months |
10–15 | High | Priority — remediate within 90 days |
16–25 | Critical | Immediate — remediate within 30 days |
The Excel template auto-calculates risk scores and color-codes them by severity level.
Remediation Planning
For every risk scored Medium or above, the template captures planned remediation action, responsible party, target completion date, required resources / budget, status tracking (not started, in progress, completed, accepted), and residual risk after remediation.
Template Preview
Here is a simplified preview of the template structure. The downloadable Excel version includes all columns, scoring formulas, dropdown lists, and conditional formatting.
Asset | Threat | Vulnerability | Current Control | Likelihood | Impact | Risk Score | Remediation | Owner | Target Date | Status |
Patient Portal | Phishing attack | No MFA implemented | Password-only auth | 4 | 4 | 16 (Critical) | Implement MFA | Dev Lead | 30 days | In Progress |
Cloud Database | Unauthorized access | Encryption at rest not enabled | Network-level controls only | 3 | 5 | 15 (High) | Enable AES-256 encryption | DevOps | 60 days | Not Started |
Mobile App | Lost device | PHI cached unencrypted on device | Session timeout configured | 3 | 3 | 9 (Medium) | Implement device-level encryption | Mobile Dev | 90 days | Not Started |
Mirth Connect | Configuration error | No change management process | Manual deployment | 2 | 4 | 8 (Medium) | Implement CI/CD with approval gates | Integration Lead | 6 months | Planned |
Download the Full Template
The downloadable Excel template includes all sections described above with pre-populated threat and vulnerability libraries, built-in risk scoring formulas (auto-calculated from likelihood × impact), conditional formatting (color-coded risk levels), dropdown lists for consistent data entry (threat types, control status, remediation status), remediation tracking dashboard with progress summary, instructions tab with step-by-step guidance, and compliance mapping to HIPAA Security Rule sections.
Enter your email to receive the template:
We will send the Excel file immediately. No spam. Unsubscribe anytime.
How to Use This Template
Step 1: Inventory your assets. List every system, application, database, device, and cloud service that touches ePHI. Do not skip “obvious” systems — OCR auditors will ask about every one. Include development and test environments if they contain real PHI.
Step 2: Identify threats per asset. Use the pre-populated threat library as a starting point. Add any threats specific to your environment (specialized clinical devices, unique integration points, vendor-specific risks).
Step 3: Assess vulnerabilities. For each threat-asset pair, identify what vulnerability could be exploited. Use our HIPAA compliance checklist to systematically check for control gaps.
Step 4: Document current controls. Be honest about what is actually implemented versus what is planned. The risk score must reflect your current state, not your intended state.
Step 5: Score risks. Use the likelihood × impact matrix. The template auto-calculates scores. Focus attention on anything scoring 10 or above.
Step 6: Plan remediation. For every High and Critical risk, document a specific remediation action with an owner and target date. Medium risks should have a plan within 6 months. Low risks can be monitored.
Step 7: Track and update. Review and update the assessment quarterly. Conduct a full reassessment annually. Update immediately after significant changes (new systems, new integrations, new vendors, security incidents).
Step 8: Retain documentation. HIPAA requires retention of risk assessment documentation for a minimum of 6 years. Store completed assessments in a secure, version-controlled location.
Common Risk Assessment Mistakes
Incomplete asset inventory. Missing shadow IT, development environments with real PHI, third-party SaaS tools, or mobile devices. If it touches ePHI, it must be in the inventory.
Underestimating likelihood. Organizations consistently rate threats as “Rare” or “Unlikely” when historical data and industry benchmarks suggest otherwise. Healthcare is the most breached industry — adjust likelihood ratings accordingly.
Not documenting current controls. Without documenting existing safeguards, the risk assessment overestimates raw risk and undervalues investments already made. Always assess residual risk after controls.
Assessment without remediation. Conducting a risk assessment and filing it without acting on the findings is worse than not conducting one — it demonstrates awareness of risks without action, which OCR views as willful neglect.
Annual-only assessment. The 2026 rule requires continuous monitoring between formal assessments. A risk assessment conducted in January is stale by March if you have added new systems, integrations, or vendors in between.
Need Professional Risk Assessment Support? If your team needs help conducting or validating your HIPAA risk assessment — asset identification, threat analysis, vulnerability testing, or remediation planning — schedule a free consultation with Taction. Get Free Assessment Support →
Related Resources:
- HIPAA Compliance Guide for Software Development
- HIPAA Compliance Checklist
- HIPAA Compliance Cost for Software
- HIPAA-Compliant App Development
- HIPAA Compliance for Mobile Apps (Blog)
- SOC 2 vs HIPAA (Blog)
- Certifications & Compliance
- Healthcare Software Development Guide
- Free Consultation
Frequently Asked Questions
<p><span style="font-weight: 400">At least annually, and whenever there is a significant change to your environment (new systems, new integrations, new business associate relationships, security incidents). The 2026 rule adds continuous monitoring requirements between formal assessments.</span></p>
<p><span style="font-weight: 400">You can conduct it internally using this template. However, organizations without dedicated security expertise benefit from an independent assessment that brings objectivity and industry benchmarking. Taction provides</span><a href="https://www.tactionsoft.com/free-consultation/" target="_blank" rel="noopener"> <span style="font-weight: 400">HIPAA compliance assessments</span></a><span style="font-weight: 400"> as part of our healthcare development services.</span></p>
<p><span style="font-weight: 400">For a typical healthcare application with 10–20 assets, expect 2–4 weeks for a thorough assessment including inventory, threat analysis, scoring, and remediation planning. Larger environments with 50+ assets may take 6–8 weeks.</span></p>
<p><span style="font-weight: 400">Document them, assign remediation immediately (within 30 days for critical risks), and track to completion. The existence of risks is not a compliance failure — failing to identify them, document them, and remediate them is.</span></p>
<p><span style="font-weight: 400">This template follows the HHS/OCR recommended methodology. A completed template with thorough entries, honest scoring, and documented remediation actions demonstrates compliance with the risk assessment requirement. The template alone is not sufficient — it must be filled out accurately and acted upon.</span></p>
