A few years ago, I worked with a healthcare provider that believed its HIPAA security risk assessment was solid—until an unexpected audit revealed gaps in their safeguards. This wake-up call highlighted a crucial reality: compliance isn’t just about checking boxes; it’s about protecting sensitive patient data from real-world threats.
If your organization handles electronic Protected Health Information (ePHI), a thorough risk assessment is your first line of defense. The HIPAA Security Rule mandates regular evaluations of administrative, physical, and technical safeguards, ensuring data confidentiality, integrity, and availability. Below, we explore a free, comprehensive HIPAA security risk assessment questionnaire designed to help you identify compliance gaps and strengthen your security posture.
Administrative safeguards
Administrative safeguards form the foundation of HIPAA compliance by focusing on policies, procedures, and workforce responsibilities. Organizations must implement formal security programs and regularly review them for effectiveness.
Security management process
A risk analysis is the cornerstone of your security framework. Organizations must systematically identify vulnerabilities that could compromise ePHI.
| Question | Response |
| Have you performed a comprehensive risk analysis to identify threats and vulnerabilities to ePHI? | Yes / No |
| Is your risk analysis updated regularly or when significant changes occur (e.g., new systems, processes, or threats)? | Yes / No |
Risk management
Once risks are identified, the next step is implementing a structured plan to mitigate them.
| Question | Response |
| Do you have a documented risk management plan that outlines methods for addressing identified risks? | Yes / No |
| Is there a process to track and review the status of identified risks and corresponding mitigation efforts? | Yes / No |
Workforce security
Managing workforce access and security training is critical in preventing unauthorized access to ePHI.
| Question | Response |
| Are workforce members’ access privileges to ePHI supervised or authorized by a designated authority? | Yes / No |
| Do you have a formal process to validate workforce members’ clearance levels before granting access? | Yes / No |
| Are there established procedures to promptly remove access to ePHI and systems when a workforce member’s employment ends or changes? | Yes / No |
Security awareness and training
Regular training minimizes human error, which remains a leading cause of security incidents.
| Question | Response |
| Do you provide periodic security updates or reminders to the workforce? | Yes / No |
| Is your workforce trained to identify and prevent malicious software (e.g., phishing attempts, malware)? | Yes / No |
| Do workforce members know how to monitor and report unusual log-in activities? | Yes / No |
| Are there strong password requirements and frequent password changes enforced? | Yes / No |
Physical safeguards
Physical safeguards protect the actual environments where ePHI is stored or accessed. These controls ensure unauthorized individuals cannot gain access to sensitive data.
Facility access controls
| Question | Response |
| Are physical access points to facilities containing ePHI restricted to authorized personnel only? | Yes / No |
| Do you have documented procedures controlling and validating access based on role or function? | Yes / No |
| Are maintenance records for security systems (doors, locks, cameras) properly maintained? | Yes / No |
Device and media controls
Handling and disposal of electronic media and hardware is an often-overlooked but critical aspect of security.
| Question | Response |
| Are there secure methods to dispose of or destroy ePHI on hardware, electronic media, or paper documents? | Yes / No |
| Are policies in place to remove ePHI from devices before reusing or repurposing them? | Yes / No |
| Is there a method to track the movement of hardware and electronic media within and outside the facility? | Yes / No |
Technical safeguards
These safeguards focus on the technology used to protect ePHI and the mechanisms that control access to data.
Access controls
User authentication and unique identifiers prevent unauthorized access to systems.
| Question | Response |
| Does each user have a unique identifier to track activity and prevent shared accounts? | Yes / No |
| Are there documented procedures for obtaining necessary ePHI during an emergency? | Yes / No |
| Do systems containing ePHI automatically log off after a period of inactivity? | Yes / No |
| Is ePHI encrypted at rest and in transit (e.g., using methods consistent with NIST standards)? | Yes / No |
Audit controls and integrity
Regular system audits and ePHI integrity checks help detect and prevent data tampering.
| Question | Response |
| Do you have mechanisms that record and examine system activity logs? | Yes / No |
| Is audit log data reviewed on a regular basis for suspicious activity? | Yes / No |
| Are there integrity controls (e.g., checksums, hashing) to ensure that ePHI is not altered improperly? | Yes / No |
Policies, procedures, and documentation
Comprehensive policies and documentation are crucial for demonstrating compliance.
| Question | Response |
| Are HIPAA security policies documented, clearly communicated, and readily available to the workforce? | Yes / No |
| Do these policies address all aspects of the HIPAA Security Rule? | Yes / No |
| Are you retaining all HIPAA-required documentation (policies, procedures, logs, incident reports) for at least six years? | Yes / No |
Risk mitigation and ongoing management
Risk mitigation isn’t a one-time task—it requires continuous oversight and adaptation.
Incident response and lessons learned
Post-incident reviews help organizations strengthen their security posture by identifying weaknesses and implementing corrective actions.
| Question | Response |
| Do you have a documented process for identifying, responding to, and reporting security incidents? | Yes / No |
| Are all security incidents tracked to resolution, with root cause analysis and corrective actions documented? | Yes / No |
| After an incident, do you hold a post-incident review to determine weaknesses and update policies accordingly? | Yes / No |
| Are workforce members trained or re-trained based on incident findings? | Yes / No |
Final thoughts: compliance is continuous
Reflecting on my past experiences, I’ve seen firsthand how organizations that treat HIPAA compliance as an ongoing process—not a one-time event—avoid costly violations and data breaches. Regular risk assessments, training, and proactive security measures help build a culture where patient privacy is prioritized.
If you’re serious about protecting ePHI, start with this questionnaire and use the insights to develop a stronger compliance strategy. Keep refining your approach, monitor evolving threats, and consult experts when necessary. After all, compliance is not just a regulation—it’s a responsibility.
