Security Risk Assessment Tool, HIPAA Risk Management

Will You Meet the Upcoming HIPAA Risk Management Deadline? Use HHS’ New Security Risk Assessment Tool


September 26, 2023 | Reading Time: 3 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How


Ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) is paramount for healthcare organizations and their business associates. Through the United States HIPAA Security rule, the US Department of Health and Human Services (HHS) mandates that covered entities, including providers, conduct a comprehensive security risk assessment by December 31st of every year. These assessments are designed to assure HIPAA risk management compliance with its administrative, physical, and technical safeguards. To help with this process, the HHS has now made the latest security risk assessment tool, version 3.4, available at no charge. The article below describes why and how this tool can help you get started toward meeting your end-of-year HIPAA risk management requirements for 2023.

Why Use the HIPAA Security Risk Assessment Tool?

The HIPAA Security Rule obligates covered entities such as licensed practitioners and their business associates to undertake a systematic risk assessment. The security risk assessment tool helps identify and evaluate the potential risks and vulnerabilities of processing electronic protected health information (ePHI).

Demystifying Mandatory HIPAA Risk Assessments

Since COVID restrictions have been lessened, taking a few minutes to attend to your security risk management is wise. As the incidence of cybercrime escalates dramatically, updates to your HIPAA practices are needed to ensure appropriate HIPAA risk management. The security risk assessment is the quickest and easiest to complete of the steps required by the recently released NIST Cybersecurity Framework.

Regular updates of your HIPAA risk assessment can be crucial for protecting your client’s sensitive information and remaining compliant with federal regulations. Plus, it is quick, easy, and free. Let’s unpack the details.

What is a HIPAA Risk Management?

Simply put, HIPAA risk management systematically reviews your practice’s processes and protocols for handling Protected Health Information (PHI). PHI could be anything from a patient’s medical records to billing details. The purpose is to identify potential weaknesses that might put this sensitive information at risk.

Under HIPAA, you must routinely perform these assessments to ensure ongoing compliance. The good news is that the US Department of Health and Human Services (HHS) just released Version 3.4 of its free HIPAA risk assessment tool, which walks you through the assessment step-by-step and helps you with documentation.

Why is It Important for Behavioral Health Providers?

For behavioral health providers, the patient-provider relationship is often built on trust and confidentiality. A breach in protecting patient information can damage this trust and have legal ramifications for your practice. Plus, the consequences can be unpleasant once you have crossed the line and HIPAA has been violated. See What Happens If You Violate HIPAA? for details.

Steps Involved in Using the HIPAA Security Risk Assessment Tool

Luckily, understanding complicated legalese or fumbling with complicated processes is unnecessary. Simply access the free security risk assessment tool website the HHS offers to walk you through the eight required steps below. Once within the security assessment tool, follow these eight steps to quickly and easily complete your required HIPAA risk assessment:

1. Scope the Assessment

The first step involves identifying all areas where PHI is stored, accessed, and transmitted. This includes physical storage like file cabinets, electronic databases, computers, and even your fax machine.

2. Identify Potential Vulnerabilities and Threats

List all the potential weaknesses (vulnerabilities) that could be exploited and the scenarios (threats) that could lead to a data breach. For example, unauthorized access to your computer system is a vulnerability, while a hacking attempt is a threat.

3. Assess Current Security Measures

Review the current safeguards you have in place. Are your computers password-protected? Do you have a secure method of transmitting electronic PHI to other healthcare providers?

4. Determine the Likelihood and Impact of Threat Occurrence

Estimate how likely the identified threats could exploit the vulnerabilities and the impact if this happened.

5. Assign Risk Levels

Classify the risks into low, medium, or high categories based on the likelihood and impact of a potential breach.

6. Develop an Action Plan

Use the Security Risk Assessment Tool to create an action plan to strengthen your safeguards based on the identified risks. This could involve technical solutions like upgrading your security software, administrative actions like staff training, or physical safeguards like installing security cameras.

7. Document and Implement

Document all the findings, actions, and future steps in a formal report. Implement the action plan and assign roles for ongoing monitoring and compliance.

8. Review and Update

The risk environment is dynamic. New vulnerabilities and threats may emerge, requiring regular risk assessment and action plan a date for your next update. Schedule your next security risk assessment for 2024.


Compliance with HIPAA is an ongoing responsibility for healthcare organizations. Taking the few minutes needed to go through the simple process of updating your risk assessment is well worth the effort to protect those who rely on you for care. 

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Therapist AI & ChatGPT: How to Use Legally & Ethically

Immerse yourself in our highly-engaging eLearning program and delve into the uncharted territory of Artificial Intelligence (AI) in Behavioral Healthcare!

Telehealth Law & Ethical Course Bundle

This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…