HIPAA Risk Assessment
HIPAA Security Rule risk assessment for US covered entities and business associates. Covers PHI inventory, administrative, physical, and technical safeguards, BAA review, and a remediation plan that satisfies the OCR risk analysis requirement.
How it runs
- 01
Scoping
Confirm whether the organisation is a covered entity, a business associate, or both, and define the systems and workflows that create, receive, maintain, or transmit PHI in scope.
- 02
PHI Inventory
Inventory all locations and flows of PHI: applications, databases, file shares, email, paper, vendors, and backups. Capture data classifications, volumes, and access populations.
- 03
Safeguards Review
Assess administrative safeguards (policies, training, workforce security), physical safeguards (facility access, device controls), and technical safeguards (access control, audit, integrity, transmission).
- 04
Risk Analysis
Perform the formal risk analysis required by 45 CFR 164.308(a)(1)(ii)(A): identify threats and vulnerabilities to ePHI, assess current controls, and rate likelihood and impact for each scenario.
- 05
Business Associate Review
Inventory business associates, review existing BAAs against current requirements, and identify subcontractor flow-down obligations and gaps in vendor risk processes.
- 06
Remediation Plan
Deliver a prioritised remediation plan with owners and timelines, plus the documented risk analysis, risk management plan, and policy updates that constitute the OCR-ready evidence pack.
AI assist
What you receive
- Covered entity / business associate scoping document
- PHI inventory and data flow map
- Administrative, physical, and technical safeguards review
- Documented HIPAA risk analysis
- Business associate inventory and BAA gap report
- Prioritised remediation and risk management plan
- OCR-ready evidence package
Ready to scope this engagement?
Every engagement is scoped individually. Get a tailored quote within 24 hours.