Free tool · No login · v1.0.0
HIPAA Security Risk Self-Assessment
A guided, 10-domain self-assessment that maps to the HIPAA Security Rule's administrative, physical, and technical safeguards. Answer 100 plain-English questions, then flag and rate your most likely risks — and get an instant, scored readiness report plus a risk profile you can act on internally or bring to a consultation. It's modeled on the methodology of the HHS/ONC Security Risk Assessment (SRA) Tool, in plain English.
The 10 HIPAA Security Rule domains covered
Your answers stay on this device. Nothing is transmitted unless you choose to email your results at the end.
0 of 100 answered
Step 2 · Flag & rate your risks
Where might your practice be vulnerable?
Select the weaknesses that apply to your practice. For each one you select, rate the associated threats. We pre-fill a sensible starting rating for a small practice — adjust anything that doesn't fit your situation. Selecting nothing is fine too; your risk register will just stay empty.
How we score each risk
We combine Likelihood (how likely it is to happen) and Impact (how bad it would be) on a Low / Moderate / High scale — a standard Likelihood × Impact method (NIST SP 800-30 style). The colored badge is the resulting risk level.
- Low likelihood — a modest or unlikely chance of occurrence.
- Moderate likelihood — a realistic, significant chance of occurrence.
- High likelihood — a probable or frequent chance of occurrence.
- Low impact — a modest disruption with minor impact to ePHI or operations.
- Moderate impact — a significant disruption with some damage to ePHI or operations.
- High impact — a catastrophic disruption with severe damage to ePHI or operations.
0 of 28 weaknesses flagged
Security Governance and Responsibility
-
Security tasks fall through the cracks and go unaddressed
Risk —Slow or disorganized response to an incident due to unclear ownership
Risk — -
Inconsistent safeguards leave gaps an attacker can exploit
Risk —Inability to demonstrate compliance during an audit or investigation
Risk —
Risk Analysis and Risk Management
-
Unknown gaps go unaddressed until exploited in a breach
Risk —OCR penalty — Risk Analysis failure is the most-cited enforcement finding
Risk — -
ePHI in an unknown location is breached without detection
Risk — -
Known weaknesses persist and are exploited
Risk —
Workforce Security and Training
-
Phishing email leads to stolen credentials or malware
Risk —Accidental disclosure of ePHI by an untrained employee
Risk — -
Former employee retains access and misuses or exposes ePHI
Risk —
Access Control and Authentication
-
Stolen password gives an attacker full account access
Risk — -
Inappropriate ePHI access cannot be attributed to a person
Risk — -
A single compromised account exposes far more ePHI than necessary
Risk —
Device, Endpoint, and Network Security
-
Ransomware infection encrypts ePHI and halts the practice
Risk — -
A known vulnerability is exploited to gain access
Risk — -
A lost or stolen device becomes a reportable breach
Risk — -
Malware spreads laterally across the whole practice
Risk —
Audit Controls, Logging, and Monitoring
-
A breach goes undetected for weeks or months
Risk —No forensic record to investigate or scope an incident
Risk — -
Account compromise progresses without anyone noticing
Risk —
Data Protection, Backup, and Disaster Recovery
-
Ransomware encrypts both live data and backups; no recovery
Risk — -
Backups fail when needed; prolonged downtime and data loss
Risk — -
Extended outage disrupts patient care and revenue
Risk —
Transmission Security, Email, and Cloud Services
-
ePHI is intercepted or misdirected in transit
Risk — -
Public or external link exposes ePHI unintentionally
Risk — -
Attacker uses remote access to reach internal systems and ePHI
Risk —
Vendors, Business Associates, and Third Parties
-
A vendor breach leaves the practice exposed and non-compliant
Risk — -
A compromised vendor account becomes a path into your network
Risk — -
A former vendor retains access to ePHI
Risk —
Physical Security, Incident Response, and Documentation
-
Slow, chaotic breach response increases damage and notification risk
Risk — -
Discarded drive or paper exposes ePHI
Risk — -
Unauthorized person views or removes ePHI on-site
Risk —
Complete the assessment to see your readiness band.
Your highest-priority gaps
These scored lowest and carry the most risk. Your full report includes a specific, prioritized recommendation for every gap.
Your risk profile
Built from the weaknesses you flagged and the Likelihood × Impact ratings you gave.
Top risks
| Domain | Vulnerability | Threat | Likelihood | Impact | Risk |
|---|
You didn't flag any weaknesses in the risk step. If that reflects reality, great — revisit it whenever your environment changes.
Educational tool, not legal advice. This self-assessment — including the risk-rating step, which uses a standard Likelihood × Impact method (NIST SP 800-30 style) — is a starting point to help you strengthen your security posture and support your HIPAA Security Rule efforts. It is not a formal HIPAA Security Risk Analysis, legal opinion, audit, certification, or guarantee of compliance, and completing it does not by itself satisfy the HIPAA risk-analysis requirement. A complete SRA evaluates your specific environment in depth. See how our Security Risk Analysis works →
Modeled on the publicly available methodology of the HHS/ONC Security Risk Assessment (SRA) Tool; not affiliated with or endorsed by HHS or ONC.