Security Risk Assessment Worksheet

Required under 45 CFR §164.308(a)(1)(ii)(A) — Document threats, vulnerabilities, and risk levels for all systems containing ePHI.

The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This worksheet provides a structured format for that assessment.

Organization Information

Organization Name:

Assessment Date:

Conducted By:

HIPAA Security Officer:

Step 1: ePHI Inventory

Identify all systems, applications, and locations where ePHI is created, received, maintained, or transmitted.

System / Application	ePHI Types Stored	Location (Cloud / On-Prem)	Users with Access	Vendor (if applicable)

Step 2: Threat Identification

For each system identified above, document potential threats to ePHI. Common threat categories:

Threat Category	Examples
Natural	Floods, earthquakes, tornados, power failures
Human (Intentional)	Hacking, malware, ransomware, social engineering, insider threats
Human (Unintentional)	Accidental deletion, misdirected emails, lost devices, improper disposal
Environmental	HVAC failure, water damage, electrical surges, hardware failure

Step 3: Vulnerability Assessment

Identify vulnerabilities that could be exploited by the threats above.

System	Vulnerability	Threat Source	Existing Controls

Step 4: Risk Determination

For each threat-vulnerability pair, determine the likelihood of occurrence and the potential impact, then assign a risk level.

Likelihood Scale

Rating	Definition
High	The threat source is highly motivated and capable, and controls to prevent the vulnerability are ineffective.
Medium	The threat source is motivated and capable, but controls are in place that may impede exploitation.
Low	The threat source lacks motivation or capability, or controls are in place to prevent or significantly impede exploitation.

Impact Scale

Rating	Definition
High	Exploitation could result in significant financial loss, harm to individuals, legal action, or loss of reputation. Major breach notification required.
Medium	Exploitation could result in moderate financial loss or limited harm. May require breach notification.
Low	Exploitation could result in minor financial loss or inconvenience. Breach notification unlikely.

Risk Matrix

	Low Impact	Medium Impact	High Impact
High Likelihood	Medium	High	Critical
Medium Likelihood	Low	Medium	High
Low Likelihood	Low	Low	Medium

Step 5: Risk Register

Document each identified risk, its level, and planned corrective actions.

#	Risk Description	Likelihood	Impact	Risk Level	Corrective Action	Owner	Target Date
1
2
3
4
5
6
7
8

Step 6: Sign-Off

This risk assessment has been reviewed and approved by the following individuals:

HIPAA Security Officer

Signature:

Name:

Date:

Executive Sponsor

Signature:

Name:

Date:

Retention Requirement: HIPAA requires that this risk assessment and all related documentation be retained for a minimum of 6 years from the date of its creation or the date when it was last in effect, whichever is later (45 CFR §164.530(j)).