HIPAA Security Risk Assessment Annual Review Checklist [FREE PDF]

The HIPAA Security Rule (45 CFR Part 164) requires covered entities and business associates to conduct an accurate and thorough annual risk assessment to identify threats and vulnerabilities to electronic protected health information (ePHI). The Office for Civil Rights (OCR) consistently cites failure to perform adequate risk analysis as the most common HIPAA violation during audits and breach investigations, with civil monetary penalties reaching $1.9 million per violation category annually. Th

• Industry: Compliance
• Frequency: Annually
• Estimated Time: 90-120 minutes
• Role: Risk Manager
• Total Items: 40
• Compliance: HIPAA Security Rule 45 CFR §164.308(a)(1), HIPAA Security Rule 45 CFR §164.312(a)(1), NIST SP 800-66r2 Section 2.1, NIST CSF 2.0 GV.RM-1, ISO 27001:2022 Clause 6.1.2

ePHI Inventory & Scope Definition

Identify all systems, applications, and media that create, receive, maintain, or transmit ePHI to define the assessment scope.

• Is a complete and current inventory of all systems that store, process, or transmit ePHI maintained?
• Does the ePHI inventory include cloud-hosted, mobile, and remote work environments?
• Are all business associates and subcontractors that handle ePHI identified and documented?
• Has the ePHI data flow been mapped to show how data moves within and outside the organization?
• Are legacy or end-of-life systems that process ePHI identified with compensating controls documented?

Threat & Vulnerability Analysis

Evaluate reasonably anticipated threats to ePHI and assess existing vulnerabilities across administrative, technical, and physical domains.

• Has a formal threat modeling exercise been completed to identify reasonably anticipated threats to ePHI?
• Has a vulnerability assessment or penetration test been performed on ePHI-holding systems within the last 12 months?
• Are identified vulnerabilities assigned a risk rating based on likelihood and impact to ePHI?
• Are insider threats and workforce-related risks included in the threat analysis?
• Is threat intelligence from HHS HC3, ISACs, or equivalent sources used to inform the threat assessment?

Access Controls & Identity Management

Assess technical access controls limiting ePHI access to authorized users and the minimum necessary information.

• Does each workforce member have a unique user ID for accessing ePHI systems?
• Is multi-factor authentication (MFA) enforced for remote or privileged access to ePHI systems?
• Are access rights to ePHI reviewed and recertified for all workforce members at least annually?
• Is an automatic logoff implemented for workstations accessing ePHI after a defined period of inactivity?
• Are emergency access procedures documented and tested for obtaining ePHI access during a crisis?

Data Encryption & Transmission Security

Verify that ePHI is encrypted at rest and in transit and that encryption standards meet NIST-recommended algorithms.

• Is ePHI encrypted at rest on all servers, databases, laptops, and portable media?
• Is ePHI encrypted in transit over all networks using TLS 1.2 or higher?
• Are encryption keys managed separately from the encrypted ePHI data they protect?
• Is a data loss prevention (DLP) solution or equivalent control in place to prevent unauthorized ePHI exfiltration?
• Is a formal media sanitization procedure in place for disposing of devices that have stored ePHI?

Workforce Security & Training

Evaluate security awareness training effectiveness, background screening, and workforce sanctions for HIPAA violations.

• Has all workforce with ePHI access completed HIPAA security awareness training within the last 12 months?
• Does training include phishing simulation and social engineering awareness exercises?
• Are appropriate background checks conducted for workforce members with access to ePHI?
• Is a formal sanction policy for workforce members who violate HIPAA policies documented and communicated?
• Are HIPAA security policies reviewed, updated, and re-communicated to workforce at least annually?

Incident Response & Breach Notification

Review incident detection capabilities, response procedures, and breach notification compliance obligations.

• Is a documented security incident response plan in place specifically addressing ePHI breaches?
• Are breach notification timelines (60 days to HHS, media, and affected individuals) documented and tested?
• Are all security incidents, including near-misses involving ePHI, logged and tracked in a formal register?
• Were any reportable breaches of ePHI identified and properly reported to HHS OCR in the past 12 months?
• Are post-incident reviews conducted to identify root causes and update controls after each significant event?

Business Associate & Vendor Management

Confirm that all business associates have valid BAAs, are assessed for risk, and are monitored for compliance.

• Are valid and current Business Associate Agreements (BAAs) in place with all entities that access ePHI?
• Do BAAs include provisions for subcontractors who may access ePHI on behalf of the business associate?
• Is a risk assessment conducted for all new business associates before granting them access to ePHI?
• Are business associates monitored or audited at least annually for continued HIPAA compliance?
• Are procedures in place for terminating BA relationships and ensuring return or destruction of ePHI?

Physical & Environmental Safeguards

Review physical access controls, workstation security, and environmental protections for ePHI systems.

• Are physical access controls (keycard, biometric, or equivalent) in place for all facilities housing ePHI systems?
• Are physical access logs to data centers and server rooms reviewed regularly and retained for audit purposes?
• Are workstations that access ePHI positioned or configured to prevent unauthorized viewing (privacy screens, placement)?
• Are portable devices (laptops, tablets, smartphones) that store or access ePHI inventoried and tracked?
• Are environmental controls (fire suppression, HVAC, UPS) documented and tested for ePHI system facilities?

Related Cybersecurity Compliance Checklists

• Cybersecurity Insurance Coverage Review Checklist [FREE PDF]
• Cybersecurity Insurance Coverage Review Checklist [FREE PDF]
• Phishing Simulation and Training Effectiveness Checklist [FREE PDF]
• Network Segmentation & Firewall Rule Audit Checklist [FREE PDF]
• User Access Review & Privilege Audit Checklist [FREE PDF]
• Multi-Factor Authentication (MFA) Compliance Check Checklist [FREE PDF]
• Endpoint Detection and Response (EDR) Compliance Check Checklist [FREE PDF]
• Data Backup and Recovery Verification Test Checklist [FREE PDF]

Related Compliance Audit Checklists

• Phishing Simulation and Training Effectiveness Checklist [FREE PDF] - FREE Download
• Network Segmentation & Firewall Rule Audit Checklist [FREE PDF] - FREE Download
• Cloud Security Configuration Baseline Check Checklist [FREE PDF] - FREE Download
• PCI DSS v4.0 Quarterly Compliance Checklist [FREE PDF] - FREE Download
• Cybersecurity Insurance Coverage Review Checklist [FREE PDF] - FREE Download
• Cybersecurity Insurance Coverage Review Checklist [FREE PDF] - FREE Download

Why Use This HIPAA Security Risk Assessment Annual Review Checklist [FREE PDF]?

This hipaa security risk assessment annual review checklist [free pdf] helps compliance teams maintain compliance and operational excellence. Designed for risk manager professionals, this checklist covers 40 critical inspection points across 8 sections. Recommended frequency: annually.

Ensures compliance with HIPAA Security Rule 45 CFR §164.308(a)(1), HIPAA Security Rule 45 CFR §164.312(a)(1), NIST SP 800-66r2 Section 2.1, NIST CSF 2.0 GV.RM-1, ISO 27001:2022 Clause 6.1.2. Regulatory-aligned for audit readiness and inspection documentation.

Frequently Asked Questions

Browse More Checklists

• All Compliance Audit Checklists
• Cybersecurity Compliance Checklists
• Browse 9,600+ Free Checklist Templates
• Operations Blog
• Book a Demo