← Back to BLOG

10 Steps to Performing a HIPAA Risk Assessment

10 Steps to Performing a HIPAA Risk Assessment

Are you preparing to perform a HIPAA Risk Assessment? It's critical to know the requirements and particulars before starting. Unfortunately, many practices don’t understand how to conduct risk assessments and require assistance.  Lucky for you, navitend provides this service and is here to help and has extensive experience with HIPAA Risk Assessments. We've found the lack of risk assessments is the most common finding when an entity has a breach and an audit has to be performed. Stick with us, we'll help you prepare for your HIPAA Assessment and ensure a positive outcome. 

Understanding Your HIPAA Risk Assessment 

The first step in a successful audit is to understand exactly what's to come. What are auditors looking for?  

  1. Privacy rule requirements. These touch upon notice of privacy practices for PHI, rights to request privacy protection for PHI, access of individuals to PHI, administrative requirements, uses and disclosure of PHI, and accounting of disclosures.
  2. Security rule requirements for administrative, physical and technical safeguards. These include risk assessments and protocols for security incidents.
  3. Requirements for the Breach Notification Rule. 

HIPAA Risk Assessment Steps to Success

Here are the steps you need to take when preparing for your HIPAA Risk Assessment.

1. Identify all systems that contain, process or transmit ePHI. (Electronic Personal Health Information)

2. Create a list of the practice’s business associates that creates, receive, maintains or transmits ePHI for a function or activity regulated under HIPAA.

3. Go through HIPAA’s Privacy, security and Breach Notification implementation specifications and provide responses that demonstrate and document the practice’s level of compliance.

4. Develop a rating system for your practice’s level of compliance with the specification.

5. Conduct a vulnerability analysis of your practice’s system.

6. Conduct a penetration test on your practice’s system.

7. Develop a risk assessment report based on the risk assessment.

8. Develop a durable process for conducting risk assessments.

9. Structure of the report. The report should be structured in the following manner:

            * An executive summary with a high-level overview of the risk assessment findings.

            * A brief description of the organization, including a description of the organization’s activities.

            * The name of your organization’s current Privacy and Security Officer.

            * A map of the organization’s IT environment that maintains, transfers, receives or processes electronic personal health information.

            * A list of systems that maintain, transfer, receive or process electronically protected health information.

            * A list of HIPAA controls, the organization’s responses to the controls, whether the responses fully satisfied the controls, the level of compliance, and recommendations for remediation if applicable.

10. Develop a management action plan to remediate the findings identified in the risk assessment.

If this seems daunting, we're here for you and our experts can guide you through this difficult process. Let navitend help you with your HIPAA Risk Assessment. Call today at 973.448.0070 for the support you need! 

Feel free to reach out to us at navitend to discuss how we can help you perform your Annual Risk Assessment.  Call Patrice today at 973.448.0070 ext 312 or email

Contact us at 973.448.0070


  • navitend’s approach to customer service is greatly appreciated here.  Ensuring that we are well protected from a technology standpoint provides us with peace of mind to continue our day to day operations and that they are looking out for our company's best interest. 

  • "I appreciate that they didn’t just build the application. They made it better by bringing ideas to the table that not only made for a better user experience, but also kept the development costs down."

    Andy Lynch / North Star Marketing
  • "Thanks so much again for taking care of everything in such an expedient manner. It's a pleasure to work with navitend and its staff as always!"

    Lawrence Wolfin / Textol Systems, Inc.
  • “Navitend’s expertise helped our firm over the past year to effectively elevate our I.T. game, powering our website into a highly interactive tool. Well done to Frank and his team!”  

    Chuck Steege, CFP®, CEP, President, SFG Wealth Planning Services, Inc.
  • "We've dedicated our lives to growing our retail and ecommerce business and it's a relief to have found a company like navitend who treats our business likes it's their own. navitend's personal approach to project management and problem solving are top-notch."

    Stamatis, Co-owner Twisted Lily, Fragrance Boutique and Apothecary
  • "Thanks so much!  You are a class act!  
    You and your team have really done an excellent job on this!"

    Steve Van Ooteghem, The C12 Group in Houston, Texas
  • "I look forward to working with you again in the future. Once again, thanks to your organization for your prompt response."

    Luke Wolters / Luke Wolters Tax Consultants
  • "Our company is more efficient and has grown as a result of navitend’s work. navitend helped us get to the next level."

    Greg Niccolai / Madison Insurance
  • "navitend has been a great IT partner for our company.  Their helpdesk response time is the best I have experienced in my 30 year career.  navitend has helped me to have great IT services without the need to have a full time, in house, technician at significant savings to our company."

    Bob Bradley, President, Bradley Graphics