Score your HIPAA compliance in minutes, then close the gaps.

What a HIPAA risk assessment actually is

A HIPAA risk assessment, often called a security risk analysis, is the structured process of finding where electronic protected health information could be exposed and deciding what to do about it. It is not optional and it is not paperwork for its own sake. The Security Rule requires it directly at 45 CFR 164.308(a)(1)(ii)(A), which tells every covered entity and business associate to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI it holds. Almost every other requirement in the rule flows from this one, because you cannot protect data well until you know where it lives, who can reach it, and how it could be lost.

The tool above is a fast way to take that idea and turn it into a concrete baseline. It asks about the same safeguards a formal analysis examines, scores your answers against the standard, and shows you the weakest areas first. It does not replace the written, organization-wide risk analysis the rule expects, and it does not pretend to. Think of it as triage: a way to see in a few minutes whether your program is strong, has moderate gaps, or has serious exposure, so you know where to put your time before you sit down to document the full analysis.

Why the assessment matters more than most people think

The failure to conduct a proper risk analysis is one of the most frequently cited problems in HIPAA enforcement. Regulators see it again and again: an organization suffers a breach, the investigation begins, and it turns out no current, thorough risk analysis existed. That single gap turns a manageable incident into a much larger finding, because it shows the organization never systematically looked at its own exposure. The reverse is also true. A documented assessment with a remediation plan is strong evidence that an organization took its obligations seriously, even when something still goes wrong.

There is a practical reason too. You cannot fix risks you have never named. Most real breaches trace back to ordinary, preventable gaps: a laptop without encryption, a former employee whose account was never disabled, a vendor with no signed agreement, a backup nobody ever tested. A risk assessment is how those gaps surface before an attacker or an auditor finds them for you. The score this tool produces is a way to start that conversation with evidence instead of a guess.

The administrative safeguards

Administrative safeguards are the policies, processes, and people side of HIPAA security, and they carry the most weight in this assessment because they carry the most weight in real enforcement. They begin with the risk analysis and risk management process at 164.308(a)(1), which require you to find your risks and then actually reduce them. They include a security awareness and training program at 164.308(a)(5), the requirement to assign a security official at 164.308(a)(2), workforce access management at 164.308(a)(3) and (a)(4), business associate agreements at 164.308(b), and a contingency plan with backups and disaster recovery at 164.308(a)(7).

When this area scores low, the fixes are usually procedural rather than technical, which makes them faster and cheaper than people expect. Naming a security official is a decision, not a purchase. Granting access by role and disabling accounts at offboarding is a process change. Collecting signed business associate agreements is administrative work. And training your workforce, the requirement that anchors this whole category, can be completed and documented in a single rollout. That is why the tool surfaces a training gap so prominently: it is the highest-return administrative fix available to most teams.

The physical safeguards

Physical safeguards govern the tangible world: who can physically reach the systems and records that hold ePHI, how workstations are used, and how devices and media are handled over their lifecycle. Facility access controls at 164.310(a) cover locks, badges, and visitor logs for server rooms, network closets, and records storage. Workstation use and security at 164.310(b) and (c) cover positioning screens away from public view and locking them when staff step away. Device and media controls at 164.310(d) cover tracking hardware and securely wiping or destroying it before reuse or disposal.

These controls are easy to overlook because they feel old-fashioned next to firewalls and encryption, yet they cause real breaches every year. Hard drives sold without wiping, copiers retired with images still on their internal storage, and unattended workstations in busy clinics all expose PHI in ways no software patch can prevent. If your physical score is weak, the remediation is mostly inexpensive discipline: a device inventory, a wiping or destruction standard, screen filters where the public can see, and an automatic lock policy that the technical safeguards reinforce.

The technical safeguards

Technical safeguards are the controls built into your systems. Access control at 164.312(a) requires unique user identification so every action ties to a named person, plus automatic logoff for unattended sessions. Authentication at 164.312(d) confirms that a user is who they claim to be, which in practice means strong passwords and, increasingly, multi-factor authentication. Audit controls at 164.312(b) require systems to record access to ePHI, and the spirit of the standard is that someone reviews those logs rather than simply collecting them. Transmission security and encryption at 164.312(e) and (a)(2)(iv) protect data as it moves and while it sits at rest.

Encryption deserves special attention because of how it interacts with breach rules. When ePHI is encrypted to the recognized standard and a device is lost or stolen, the data is generally considered unreadable, and the loss usually does not trigger breach notification at all. That makes encryption one of the highest-leverage technical controls you can deploy: it both reduces the chance of exposure and shrinks the consequences when a device goes missing. If your technical score is low, prioritize eliminating shared logins, turning on multi-factor authentication, and encrypting laptops, email, messaging, and backups.

Documentation and breach readiness

The last category is where compliance becomes provable. The rule requires written policies and procedures and that you retain them, and the related documentation, for at least six years at 164.316. It requires a breach notification process that can investigate and notify within the deadlines set at 164.404. It assumes you honor core Privacy Rule duties, including providing a Notice of Privacy Practices at 164.520 and fulfilling patient access requests at 164.524. And it expects dated evidence of your training, risk analyses, and reviews that an auditor can inspect.

The hard truth behind this category is simple: in an audit, compliance you cannot prove is treated the same as compliance you never did. An organization can be genuinely careful and still fail an audit because nothing was written down or dated. That is why the tool counts documentation as its own safeguard area rather than folding it into the others. If this score is weak, the fix is to capture what you already do as written policy, attach dates, and store the evidence somewhere you can produce it on request.

How to read your score

The overall percentage is the share of the requirements you answered that are fully met. A score at or above eighty percent points to a mature program that mostly needs upkeep: keep evidence current, retrain annually, and re-run your formal risk analysis after major changes. A score between fifty-five and seventy-nine percent means you have real safeguards but several partial or missing requirements, and the prioritized list is your work plan. A score below fifty-five percent signals that core Security Rule requirements look unmet, and those are exactly the gaps enforcement actions tend to cite, so they deserve immediate attention.

The category bars matter as much as the headline number. A strong overall score can still hide a weak area, and a single weak category is often where a breach would actually happen. Read the bars to find your softest safeguard group, then work the gap list from the top, since it places unmet requirements ahead of partial ones. Because the assessment recalculates instantly, you can use it as a loop: close a gap, mark it yes, and confirm the score moves before you move on.

Turning the assessment into a real risk analysis

The score is a starting point, not the finished product the rule requires. To build a defensible risk analysis from it, begin with an inventory of where ePHI is created, received, stored, and transmitted, including systems, devices, vendors, and workflows. A risk analysis that starts from a real inventory is far stronger than one that starts from a form. Then, for each safeguard the tool flagged, write down the threat, the current control, the likelihood and impact if it failed, and the gap. That record is the substance of the analysis the rule expects.

Next, convert the gaps into a tracked remediation plan with an owner and a due date for each item, which is the risk management step at 164.308(a)(1)(ii)(B). Without owners and dates, a list of risks is just awareness, and awareness alone reduces no exposure. Finally, set the cadence: revisit the analysis at least annually and after any major change to systems, vendors, staffing, or work location. Keep every version dated, so you can show not only that you assessed your risk but that you kept doing it. That trail of dated assessments and closed gaps is what separates an organization that survives an audit from one that does not.

Covered entities and business associates both need this

A common misconception is that risk assessment is only a hospital or large-practice concern. It is not. The Security Rule applies to every covered entity, from a solo dentist to a national health plan, and equally to every business associate that creates, receives, maintains, or transmits ePHI on a covered entity's behalf. That sweeps in billing companies, medical transcription services, cloud and software vendors, managed IT providers, answering services, shredding companies, and the growing world of digital health startups. If your work touches PHI for someone else, your business associate agreement obligates you to safeguard it, and a risk assessment is how you show you do.

The size of the organization changes the scale of the assessment, not the obligation. A two-person practice still needs to know where its ePHI lives, who can reach it, whether it is encrypted, and whether staff are trained. A startup handling health data for thousands of users needs the same answers across far more systems. This tool works for both because it asks about the safeguards themselves rather than assuming a particular size. The questions stay the same; the inventory behind your answers is what grows. Whatever your scale, the assessment is the moment you stop assuming you are compliant and start checking.

Common mistakes that weaken an assessment

A few predictable errors make a risk assessment look complete while leaving the organization exposed. The first is scoping too narrowly, assessing the electronic health record but ignoring email, messaging, spreadsheets, personal devices, and the vendors that quietly hold copies of the same data. Risk lives in the places people forget. The second is treating the assessment as a one-time event, filing it, and never revisiting it after new systems, vendors, or remote-work changes reshape the risk picture. A two-year-old analysis often describes an organization that no longer exists.

The third mistake is stopping at awareness. Finding risks and never assigning owners or due dates produces a document that proves you knew about a problem and did nothing, which is worse than not having looked. The fourth is confusing a vendor's compliance with your own. A platform being HIPAA-capable does not make your configuration of it compliant, and a signed business associate agreement does not absolve you of your own safeguards. The fifth is keeping no dated evidence, so even genuine diligence cannot be proven later. The tool helps you avoid the first and third of these directly, by forcing a safeguard-by-safeguard view and by turning weak answers into a concrete, ordered action list rather than a vague sense of concern.

Where workforce training fits

Across all four categories, one fix appears more than any other: train your people and keep proof. Training is an explicit requirement, it underpins access management and breach prevention, and it is the control auditors check first because untrained staff cause so many incidents. It is also the gap you can close fastest. A clinic can run a complete risk assessment, find a dozen gaps, and have the training requirement fully met and documented before most of the others are even scheduled. That is why this tool flags a training gap on its own and points you straight to certification when it finds one. If your assessment surfaces nothing else, closing the training gap is still the single highest-return step you can take, and you can do it for your whole team today.