How to Conduct a HIPAA Security Risk Assessment for Houston Healthcare Organizations

The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic PHI. It does not prescribe a specific methodology — but OCR examination of risk assessments expects specific elements. This guide covers what your HIPAA risk assessment must include.

What the HIPAA Security Rule Actually Requires

45 CFR § 164.308(a)(1) requires: (1) Assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI the organization creates, receives, maintains, or transmits. This means starting with an ePHI inventory — where does ePHI live in your environment? Every system, device, and process that touches ePHI is in scope for the risk assessment.

Step 1: ePHI Inventory

Document every location where ePHI exists: EHR system, practice management software, email (if PHI is sent by email), shared drives with patient files, portable devices (laptops, phones, tablets), physical workstations at reception and clinical areas, backup media, and any third-party cloud services. OCR has found organizations non-compliant for failing to include all ePHI locations in their risk assessment scope.

Step 2: Threat and Vulnerability Identification

For each ePHI location, identify: potential threats (ransomware, external hacker, lost laptop, employee misuse, natural disaster, hardware failure) and existing vulnerabilities (no encryption, weak passwords, no audit logging, shared credentials). This is where technical IT expertise is essential — non-technical staff conducting this step consistently miss technical vulnerabilities.

Step 3: Risk Rating and Remediation

Rate each threat/vulnerability combination by likelihood (how likely is this to occur?) and impact (how severely would this affect ePHI if it occurred?). Multiply likelihood × impact = risk rating. High-risk findings require priority remediation. Document remediation plans with timelines. This risk register becomes the core of your audit-ready documentation.

HIPAA Risk Assessment Services

SpaceTown IT conducts HIPAA risk assessments for Houston healthcare organizations in NIST 800-30 format meeting OCR examination expectations. See HIPAA annual review and HIPAA IT compliance. Call (832) 304-9748.