HIPAA Risk Assessment for Websites

The HIPAA Security Rule requires a formal risk assessment. Here is how to conduct one for your website and web-based systems, with a structured methodology.

Published April 7, 2026 4 min read

Why Risk Assessment Is the Foundation of HIPAA

The HIPAA Security Rule's risk analysis requirement (45 CFR § 164.308(a)(1)(ii)(A)) is not just one item on a compliance list — it is the foundation that justifies every other security decision. The OCR has consistently cited failure to conduct a thorough risk analysis as the primary violation in its largest enforcement actions, including cases involving multi-million dollar fines.

A risk assessment documents what ePHI you have, where it lives, what threatens it, and what you are doing about those threats. For websites, this means identifying every place your site creates, receives, maintains, or transmits ePHI — including form submissions, database records, log files, backup copies, and data shared with third parties.

Step 1: ePHI Inventory

Before you can assess risk, you must know what ePHI exists and where. Create a comprehensive inventory:

  • Web form submissions containing health information
  • Patient portal records and session data
  • Appointment and scheduling database records
  • Uploaded documents (intake forms, insurance cards, lab results)
  • Email or chat transcripts containing health information
  • Web server and application log files (check if PHI appears in URLs or request bodies)
  • Backup files and archives
  • Data shared with analytics, CRM, or marketing platforms

For each data element, document: what type of PHI it is, where it is stored, who can access it, and what security controls are in place.

Step 2: Threat and Vulnerability Identification

HIPAA requires identifying all reasonably anticipated threats to ePHI. For websites, the primary threat categories include:

  • External threats: SQL injection attacks, XSS exploits, brute force login attempts, phishing targeting admin credentials, DDoS attacks that cause data unavailability
  • Internal threats: Unauthorized employee access, accidental disclosure, misconfiguration of access controls
  • Environmental threats: Hosting provider outage, data center fire or flood, hardware failure causing data loss
  • Third-party threats: Compromise of a vendor with access to ePHI, vendor changing data handling practices without notice

Technical scanners like HIPAA Guard help identify vulnerability-level issues — insecure configurations that make specific threats more likely to succeed.

Step 3: Likelihood and Impact Scoring

For each identified threat-vulnerability pair, assess the likelihood that the threat will exploit the vulnerability and the impact if it does. A simple 3x3 matrix (Low/Medium/High for both likelihood and impact) produces a risk score for each item.

Example: An expired SSL certificate on your patient portal has High likelihood of enabling a man-in-the-middle attack scenario and High impact because it would expose ePHI transmitted by patients. This becomes a Critical risk requiring immediate remediation.

By contrast, a weak password policy for a blog admin account that has no access to ePHI might be Medium likelihood, Low impact — a risk to manage, but not a HIPAA-critical emergency.

Step 4: Documentation and Risk Management Plan

The risk assessment is a living document that must be formally maintained. After scoring each risk:

  • Assign an owner responsible for each risk item
  • Define a remediation timeline based on risk level
  • Document the specific security measures that will mitigate each risk
  • Record the residual risk after controls are applied
  • Establish a review schedule — at minimum annually, and after any significant change

HHS's free Security Risk Assessment (SRA) Tool provides a structured template for this documentation. Completed risk assessments should be retained for at least six years and must be producible during an OCR investigation or audit.

Check your site for free — Instant HIPAA compliance scan, no signup required.
Scan Now

Frequently Asked Questions

Can a small medical practice use the HHS SRA Tool instead of hiring a consultant?
Yes. HHS designed the SRA Tool specifically for small and medium-sized healthcare practices that may not have dedicated compliance staff. It walks through each Security Rule requirement with explanatory guidance. For a simple practice website with straightforward ePHI flows, the SRA Tool combined with a technical scanning tool can produce a solid risk assessment. More complex organizations with multiple systems and vendors typically benefit from external assistance.
How long should a HIPAA risk assessment take?
For a small practice with a simple website and one or two ePHI systems, a risk assessment can be completed in one to two days of focused work. For a large health system with complex web applications, multiple EHR integrations, and a patient portal, a thorough risk assessment may take several weeks and involve multiple stakeholders. The depth should match the complexity and sensitivity of your ePHI environment.
Does my hosting provider's SOC 2 report satisfy HIPAA risk assessment requirements?
No. Your hosting provider's SOC 2 report documents their controls, which informs but does not replace your own risk assessment. You are responsible for assessing risks across your entire ePHI environment, including how you use the hosting provider's services, your application-level controls, and all other components of your stack. A hosting provider's SOC 2 is one valuable input into your assessment.
What triggers a required risk assessment update?
HHS guidance identifies several triggers: new ePHI systems or significant changes to existing systems, new business functions that affect ePHI, new threats identified through security monitoring, changes in the regulatory environment, or occurrence of a security incident. At minimum, conduct an annual review even without triggering events.

Related Articles

Articles
HIPAA Breach Notification Rules for Websites
When a website security incident involves PHI, HIPAA's Breach Notification Rule creates strict ti...
Read More →
Articles
Understanding the HIPAA Security Rule for Websites
The Security Rule is the most technically demanding part of HIPAA for website operators. Here is ...
Read More →
Guides
HIPAA Website Compliance Checklist
A step-by-step checklist covering every technical and administrative control your healthcare webs...
Read More →
Articles
HIPAA-Compliant Web Forms: Complete Guide
Web forms are one of the most common entry points for PHI on healthcare websites — and one of the...
Read More →

Explore More HIPAA Resources

HIPAA Website Compliance ChecklistWhat Makes a Website HIPAA CompliantIs My Website HIPAA Compliant?Understanding the HIPAA Security Rule for WebsitesHIPAA Compliance Guide for Telehealth PlatformsHIPAA-Compliant Web Forms: Complete GuideHow HIPAA Website Scanning WorksFree HIPAA Compliance Checker: What You Get and What You MissHIPAA Risk Assessment for WebsitesChoosing HIPAA-Compliant Web HostingHIPAA Covered Entities: Who Needs to Comply with HIPAAHIPAA Business Associate Agreement: What You Need to KnowHIPAA Breach Notification Rules for WebsitesProtecting PHI on WebsitesHIPAA Compliance and Website Cookies and Tracking PixelsHIPAA-Compliant Email for HealthcareHIPAA Compliance for Small Medical PracticesHIPAA Guard Automated Scanning vs Manual HIPAA AuditsHow do I choose the best HIPAA compliance tool?What is a HIPAA website scanner?How does a HIPAA risk assessment tool work?HIPAA Website Scanner vs. Free Compliance Checker: Which is better?How do I fix HIPAA compliance failures identified by a tool?What factors influence the cost of HIPAA compliance tools, and how can I budget for them?