A HIPAA risk assessment is mandatory for any organization handling electronic protected health information (ePHI).
Behavioral health providers face additional challenges due to the sensitive nature of their data, like psychotherapy notes and substance use disorder (SUD) records, which must comply with both HIPAA and 42 CFR Part 2 regulations. Here's a quick breakdown of the process:
Define Scope: Identify systems, data, and workflows involving ePHI.
Inventory ePHI: Catalog where ePHI is stored, transmitted, and processed.
Identify Risks: Assess vulnerabilities, including telehealth and human error.
Evaluate Safeguards: Review administrative, physical, and technical controls.
Prioritize Remediation: Score risks (Likelihood × Impact) and address them based on severity.
Document Everything: Keep detailed records for at least six years.
Monitor Continuously: Regularly update assessments and adjust safeguards.Behavioral health providers must pay close attention to stricter rules for SUD records and psychotherapy notes.
Tools like the HHS Security Risk Assessment Tool and frameworks like NIST SP 800-30 can help streamline the process. Failure to perform a thorough risk assessment can result in fines exceeding $2 million per violation annually.
The key is to stay proactive and document every step.
HIPAA Risk Assessment Steps for Behavioral Health Organizations
Defining the Scope of Your Risk Assessment
Before diving into identifying threats or evaluating safeguards, it's essential to set clear boundaries for your assessment. This ensures you focus exclusively on systems related to ePHI (electronic Protected Health Information) and avoid wasting time on unrelated areas.
Identifying the Purpose and Drivers
The main purpose of your risk assessment determines its priorities. Common drivers include:
Regulatory compliance: Meeting HIPAA requirements and, for substance use disorder programs, ensuring adherence to 42 CFR Part 2.
Operational changes: Integrating new EHR modules, expanding telehealth services, or moving to cloud-based systems.
Security incidents: Addressing breaches, ransomware attacks, or significant shifts in staffing or ownership.Understanding your primary driver keeps the assessment focused and ensures that leadership and staff understand its purpose.
Identifying In-Scope Systems and Data
The Office for Civil Rights (OCR) provides guidance on what should be included:
"The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits." - Office for Civil Rights (OCR)
For behavioral health organizations, this typically includes clinical platforms like the Opus Behavioral Health EHR, which manages clinical documentation, billing, and telehealth workflows.
Other systems to consider are billing and revenue cycle management tools, CRMs for admissions tracking, secure messaging apps, e-fax servers, and patient portals.
Hardware like laptops, tablets, smartphones (including personal devices used for work), servers, and USB drives must also be included. Don’t overlook "shadow IT" - such as personal Google Drive or Dropbox accounts staff might use, which can inadvertently expose ePHI.
Behavioral health organizations face some unique challenges. For example, psychotherapy notes require stricter protection than general medical records. Additionally, SUD records governed by 42 CFR Part 2 and data collected on untrusted Wi-Fi networks during home visits or fieldwork must be accounted for.
Once the scope is clearly defined, you can choose a risk assessment framework that matches your organization's size and complexity.
Choosing a Risk Assessment Methodology
HIPAA doesn’t specify a required methodology, giving organizations the flexibility to select one that suits their needs. Here are some commonly used frameworks:
|
Framework |
Best For |
|---|---|
|
NIST SP 800-30 |
Organizations focused on detailed processes; evaluates threats, vulnerabilities, likelihood, and impact |
|
NIST SP 800-66r2 |
Maps HIPAA Security Rule requirements to practical safeguards |
|
HHS/ONC SRA Tool |
Small to mid-sized practices; step-by-step guidance (though expert review is advised for technical accuracy) |
|
Larger or multi-site organizations; integrates HIPAA with ISO and NIST standards and offers certification options |
Smaller behavioral health practices often start with the HHS/ONC SRA Tool, as it provides a guided approach.
However, as HHS warns, "The SRA tool is not a guarantee of HIPAA compliance" [11]. Its scope and technical depth may not meet the needs of larger organizations. For those with more complex operations, NIST SP 800-30 offers a structured scoring model for threats and likelihood, which stands up well under scrutiny.
Regardless of the methodology selected, make sure to document your rationale thoroughly. OCR investigators will want to see not just what you assessed but also the methods you used to carry out the assessment.
Building an ePHI Inventory and Mapping Data Flows
Once you've defined your scope and chosen a methodology, the next step is pinpointing where electronic protected health information (ePHI) resides and understanding how it moves within your organization.
As Forward Care aptly states:
"If you don't know where your PHI lives, you can't protect it." [8]
This isn't just sound advice - it's the backbone of your risk assessment process. Identifying ePHI locations and flows sets the stage for cataloging the assets that store and transmit this sensitive data.
Cataloging Assets and Data Repositories
Bring together a cross-functional team that includes IT, clinical staff, compliance experts, and an executive sponsor. This diverse group will help ensure a comprehensive view of how ePHI is handled.
Your inventory should include every system involved in creating, receiving, storing, or transmitting ePHI. Here's a breakdown of the key categories to consider:
|
Asset Category |
Examples in Behavioral Health |
Key Documentation Needed |
|---|---|---|
|
Software Systems |
EHR platforms like Opus Behavioral Health EHR, billing systems, telehealth tools |
BAAs, security configurations |
|
User Devices |
Laptops, tablets for documentation, shared workstations, smartphones |
Encryption status, MDM logs |
|
Network & Cloud |
Cloud storage, email servers, firewalls, e-fax systems; identify any shadow IT like personal cloud apps |
Audit logs, access control matrices |
|
Physical & Media |
USB drives, backup tapes, scanners, paper records |
Disposal policies, tracking logs |
A facility walkthrough can help uncover overlooked risks, such as exposed screens, unsecured documents, or unlocked filing cabinets.
Documenting ePHI Data Elements and Flows
After cataloging your assets, document the types of ePHI each system handles. This includes patient identifiers (e.g., name, date of birth, address), diagnoses, treatment plans, lab results, and psychotherapy notes.
In behavioral health, psychotherapy notes demand stricter protections than standard medical records and should be flagged accordingly.
For organizations managing substance use disorder treatment, you’ll also need to consider 42 CFR Part 2. This regulation imposes stricter consent requirements than HIPAA for certain disclosures, such as those related to treatment or payment [8].
Explicitly map these data flows to ensure compliance with the stricter standard.
Trace ePHI throughout its lifecycle - from patient intake and scheduling to clinical documentation, telehealth sessions, billing, and claims submission, all the way to archival or destruction.
Pay close attention to technical interfaces like HL7/FHIR connections, third-party integrations, and data exports to revenue cycle or analytics platforms. These are often areas where ePHI moves without clear visibility, making them critical to map thoroughly.
Collecting Supporting Documentation and Evidence
To validate your inventory and prepare for OCR audits, gather supporting documentation.
Key evidence includes signed BAAs, audit log samples, MFA and encryption screenshots, and records of physical safeguards. For telehealth tools, ensure that session recording is disabled by default and that MFA is enforced for all providers [1] [12].
All documentation must be retained for at least six years from the date it was created or last in effect [10] [8].
Keep an organized and current archive of evidence. OCR enforcement actions often highlight gaps in documentation as seriously as gaps in technical controls. Having a well-maintained archive can make all the difference.
Identifying Risks and Reviewing Current Safeguards
After mapping out your ePHI inventory and data flows, it’s time to shift gears. This stage involves identifying vulnerabilities and assessing how well your current safeguards hold up. Think of it as moving from cataloging to diagnosing.
Common Threats and Vulnerabilities in Behavioral Health
Behavioral health organizations have unique challenges when it comes to data security.
The highly sensitive nature of information - like psychotherapy notes, substance use disorder records, and mental health diagnoses - makes these organizations attractive targets for cyberattacks. A breach here isn’t just about financial penalties; it can have serious consequences for patients.
Here’s a breakdown of common risks:
|
Threat Category |
Behavioral Health Example |
Underlying Gap |
|---|---|---|
|
Human Error |
Clinical notes sent via unencrypted personal email or SMS |
Lack of standardized communication protocols |
|
Insider Threat |
Staff accessing records outside their caseload |
Weak audit log monitoring and role-based controls |
|
Ransomware/Technical |
Exploitation of unpatched EHR systems |
Outdated software and missing security updates |
|
Physical |
Unencrypted tablet stolen during a home visit |
No full-disk encryption |
|
Telehealth |
Unauthorized recording of therapy sessions |
Missing MFA or use of non-HIPAA-compliant platforms |
|
Shadow IT |
Staff using personal apps for session data |
No policy on approved tools for fieldwork |
Did you know that human error is responsible for over 60% of data breaches? [15]
For behavioral health, the stakes are even higher. Psychotherapy notes, for example, require special monitoring due to strict legal protections.
"Psychotherapy notes have special protections... Always apply the most protective standard that applies to your services and location." - Kevin Henry, HIPAA Specialist [3]
These identified risks aren’t just theoretical - they guide what goes into your risk register and help prioritize remediation efforts.
Reviewing Administrative, Physical, and Technical Safeguards
Once you’ve pinpointed the risks, it’s time to evaluate how well your current safeguards are performing.
Administrative safeguards often reveal the first cracks. Are your staff trained on telehealth protocols, access policies for psychotherapy notes, and phishing awareness?
Do you have signed Business Associate Agreements (BAAs) with every vendor that touches ePHI? If you’re managing substance use disorder records, ensure your policies align with the stricter consent rules under 42 CFR Part 2.
Physical safeguards are just as critical. Simple measures like privacy screens, secure storage for devices, and controlled access to facilities can go a long way. Field-based teams, such as ABA providers, face additional risks - like unsecured home Wi-Fi, personal devices storing sensitive data, or bystanders overhearing sessions [1].
Technical safeguards demand constant attention. Treating HIPAA’s “addressable” standards, like encryption, as optional can lead to costly mistakes. If encryption isn’t feasible, you must document why and outline an alternative [15]. Implement MFA for EHR logins, monitor audit logs regularly, and patch software vulnerabilities promptly.
A real-world example underscores the importance of these safeguards. In 2022, a pediatric clinic in Georgia suffered a breach of 12,000 patient records after failing to update its risk analysis during a migration to a cloud-based EHR system. The result? An $850,000 fine from the OCR [15].
Tools That Support Risk Identification
You don’t have to tackle risk identification alone - there are tools to help. The HHS Security Risk Assessment (SRA) Tool, developed by the ONC and OCR, is a free resource designed for small and medium-sized practices. It helps identify vulnerabilities and document compliance efforts.
"The tool's features make it useful in assisting small and medium‑sized health care practices and business associates in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." - HHS [2]
However, it’s not a silver bullet.
"The SRA tool is not a guarantee of HIPAA compliance." - HHS SRA Tool User Guide [11]
For more advanced monitoring, tools like Security Information and Event Management (SIEM) systems, vulnerability scanners, and Endpoint Detection and Response (EDR) platforms provide real-time insights into threats like unauthorized access or malware [12].
Platforms like Opus Behavioral Health EHR simplify compliance by offering built-in audit controls, role-based access features, and centralized ePHI logging [9][12].
If you’re looking for frameworks to guide your risk evaluations, NIST SP 800-30 and SP 800-66 are widely regarded as the gold standard [6]. Aligning your approach with these guidelines can also help meet regulatory expectations.
This step sets the stage for building a prioritized risk register, which will guide your next actions.
Evaluating Risks and Prioritizing Remediation
Once you've pinpointed key vulnerabilities, the next step is figuring out their severity and deciding how to handle them.
How to Calculate Risk Levels
To quantify risks, use a simple formula: Likelihood × Impact [2]. Likelihood reflects how probable it is that a vulnerability will be exploited, while impact measures the potential damage - whether financial losses, harm to patients, or damage to your reputation.
"Risk is a product of both the likelihood of a threat exploiting a vulnerability and its impact on the organization." - HHS [2]
A practical way to score these factors is by using a 1–5 scale for both likelihood and impact. This approach produces a risk score ranging from 1 to 25, offering more clarity than vague "High/Medium/Low" labels.
Plus, the proposed 2026 HIPAA Security Rule updates are leaning toward this more precise method [6].
|
Risk Score (1–25) |
Category |
Action Required |
|---|---|---|
|
13–25 |
High Risk |
Prioritize immediate remediation [6] |
|
6–12 |
Moderate Risk |
Develop a remediation plan with a clear timeline [6] |
|
1–5 |
Low Risk |
Monitor and address as part of routine operations [6] |
In behavioral health, where records like psychotherapy notes and substance use disorder details are especially sensitive, the stakes are higher. Even a single exposed record could jeopardize a patient's job, custody arrangements, or safety [1][6].
Once risks are scored, calculate the residual risk, which is the remaining threat level after existing controls are considered. To ensure accuracy, validate safeguards like backup systems, audit logs, and multi-factor authentication (MFA) enforcement before finalizing scores [7][16].
How to Prioritize Risk Treatment
After assigning scores, decide how to address each risk. You have four main options [13][17]:
Mitigate: Take steps to reduce the risk, like enabling MFA or encrypting devices.
Transfer: Shift the risk to another party, such as through cyber insurance or outsourcing to a managed security provider.
Avoid: Eliminate the risky activity or system entirely.
Accept: Choose to live with the risk - but only for low-risk items, and only with documented approval from leadership [14].
High-risk issues should be resolved within 30 days. Medium risks require a clear plan within 30–90 days, while low risks can be monitored as part of regular maintenance [14][17].
"OCR does not require zero risk; the standard is reasonable and appropriate risk management. What it will not accept is silence." - Bellator Cyber Guard [14]
Every risk must be addressed, even if the decision is to accept it. Without a documented rationale, it could be seen as "willful neglect" in an OCR audit [14]. Keeping a written record of your decisions ensures accountability and compliance.
Building a Risk Register
A risk register is your go-to tool for tracking risks from identification to resolution. It's not a one-and-done document - it evolves as new systems are added, incidents occur, or controls are updated.
"If it isn't documented, it didn't happen. OCR doesn't take your word for it." - ComplyMD [6]
Each entry in the register should include:
A description of the risk
Affected assets
Likelihood and impact scores
Current controls in place
The chosen response (mitigate/transfer/avoid/accept)
The assigned owner
A target completion date
The current status
High-priority risks should be assigned to specific individuals to ensure follow-through [13][14].
HIPAA mandates that all risk analysis and remediation records be kept for at least six years [7][16]. A well-maintained risk register not only supports compliance but also serves as a strong defense during audits. This is especially important since inadequate risk assessments are cited in over 80% of OCR enforcement actions [5].
The next step? Turning these documented risks into actionable safeguards and setting up a system for continuous monitoring to maintain compliance.
Putting Safeguards in Place and Maintaining Compliance
Implementing Targeted Safeguards
Once you’ve outlined your risks in a register, it’s time to act. Safeguards typically fall into three categories: administrative, physical, and technical. For a compliance program to work effectively, all three need to function together.
On the technical side, start by enabling MFA (multi-factor authentication) on all systems handling ePHI.
Encrypt data at rest using AES-256 and secure data in transit with TLS 1.3 - this is especially important for telehealth sessions and secure messaging. Speaking of telehealth, ensure the platform you use is covered by a signed Business Associate Agreement (BAA).
Disable local session recording by default and verify patient identity at the start of every visit. On the administrative side, update your operating procedures to reflect these controls and provide training on phishing prevention and secure data handling practices [1][3].
Here’s a quick summary of safeguards tailored for behavioral health:
|
Safeguard Category |
Examples for Behavioral Health |
|---|---|
|
Administrative |
Role-based access controls, managing BAAs, phishing simulations |
|
Physical |
Privacy screens at reception, auto-lock timers on workstations, secure shredding bins |
|
Technical |
MFA, AES-256 encryption, centralized audit logging, regular vulnerability scans |
Once safeguards are implemented, documenting your efforts becomes the next critical step.
Documenting Risk Assessment Outcomes
Without proper documentation, even the best safeguards are meaningless to the OCR.
Your documentation should include a formal Security Risk Analysis (SRA) report, a risk register, and a remediation plan that assigns tasks, owners, and deadlines. Explain the reasoning behind your risk ratings.
For instance, instead of simply assigning a score, include context like, “Rated 4 because staff clicked simulated phishing links and no formal training exists.”
This level of detail helps justify your ratings. Supplement your documentation with screenshots of encryption settings, MFA configurations, and signed training rosters. Remember, HIPAA mandates that all security-related documentation be retained for at least six years [4].
The risks of incomplete documentation are real. In 2024, a mid-sized health plan faced a $1.3 million settlement with the OCR because its risk assessment failed to include a legacy claims platform and a cloud-based analytics tool [5]. Incomplete or missing documentation can be just as problematic as not having safeguards in place.
With thorough documentation in hand, the next step is to focus on ongoing monitoring and adjustments.
Setting Up a Continuous Monitoring Program
Continuous monitoring builds on your documented risk register and remediation efforts, ensuring compliance over the long term. A risk assessment isn’t a one-and-done task - it’s the foundation of an ongoing compliance program. To stay on track, implement a tiered review schedule:
|
Review Frequency |
Key Activities |
|---|---|
|
Daily |
Monitor identity alerts, backup failures, and unusual login activity |
|
Monthly |
Review stale accounts, privileged access, and unresolved alerts |
|
Quarterly |
Test backup restoration, evaluate new systems, and review policy exceptions |
|
Annual |
Update the full SRA, refresh risk scoring, and audit vendor BAAs |
In addition to these routine reviews, any major changes - like adding a new EHR module, switching telehealth platforms, or undergoing a merger - should trigger an immediate reassessment.
Automate as much as possible: use vulnerability scanners to track patch updates and configuration changes, and consolidate logs into a SIEM (Security Information and Event Management) system to detect patterns like mass record access or unusual off-hours queries [12][18].
Tools like Opus Behavioral Health EHR make oversight easier by providing built-in audit trails, access logs, and automated workflows.
These features help track who accessed sensitive records and flag unusual activity. For organizations managing both HIPAA and 42 CFR Part 2 requirements, having controls integrated directly into your clinical platform can significantly reduce the monitoring workload.
"Risk analysis and risk management are not paperwork exercises; they are the foundation of your entire Security Rule program." - Healthcare Compliance Pros [16]
Conclusion and Key Takeaways
A HIPAA risk assessment forms the backbone of any security program.
As Gil Vidals, CEO of HIPAA Vault, explains: "A HIPAA risk analysis is the backbone of your entire compliance strategy." [11] This holds especially true for behavioral health organizations, where sensitive psychotherapy notes, SUD records, and dual HIPAA/42 CFR Part 2 compliance come into play.
The process involves several steps: defining the scope, inventorying ePHI, identifying and scoring risks, implementing safeguards, and documenting all efforts. Regular reassessments are critical as new threats emerge. This approach not only ensures compliance but also helps avoid costly mistakes.
The consequences of failing to perform a thorough risk assessment can be severe. For instance, in 2023, Oklahoma State University Center for Health Sciences settled for $875,000 after an OCR investigation revealed its risk assessment failed to address all ePHI systems enterprise-wide [19].
Similarly, Lafourche Medical Group paid $480,000 following a ransomware attack, with investigators noting the absence of a formal risk analysis [19]. Alarmingly, inadequate risk analysis is a factor in over 73% of HIPAA enforcement actions [19].
To succeed, adopt a structured and repeatable approach. Assign clear ownership of the process, maintain an up-to-date risk register, automate tasks where possible, and treat every major operational change - whether it’s a new EHR module, vendor, or location - as a trigger for reassessment. As ComplyMD emphasizes:
"If it isn't documented, it didn't happen. OCR doesn't take your word for it." [6]
For behavioral health organizations managing complex clinical and regulatory needs, tools like Opus Behavioral Health EHR can simplify compliance. With features such as audit trails, access controls, and automated workflows, they help integrate compliance into everyday operations.
FAQs
How often should we redo a HIPAA risk assessment?
You should perform a HIPAA risk assessment at least once a year. It's also important to reassess whenever major changes happen.
This could include introducing new software like Opus Behavioral Health EHR, integrating telehealth tools, going through mergers, relocating, or dealing with significant operational or regulatory changes. Regular assessments are essential to keep your security measures strong and adaptable to new threats targeting electronic protected health information.
What’s the difference between HIPAA and 42 CFR Part 2 in the risk assessment?
HIPAA establishes a federal framework to safeguard health information, but 42 CFR Part 2 introduces even stricter confidentiality rules specifically for substance use disorder (SUD) treatment records. When conducting a risk assessment, it's essential to recognize that compliance with 42 CFR Part 2 may demand additional measures.
These measures can include tighter access controls to limit who can view SUD records and implementing specialized consent processes to ensure patient authorization aligns with the regulation's requirements.
For example, when using tools like Opus Behavioral Health EHR, these extra safeguards help maintain compliance with both HIPAA and 42 CFR Part 2, ensuring patient data is handled with the utmost care.
What evidence should we keep to prove our risk assessment was done right?
To demonstrate that your risk assessment was comprehensive, maintain detailed records. This includes your Security Risk Analysis (SRA) report, a risk register, and a written risk management plan with clearly assigned owners and timelines.
Keep evidence of safeguards, such as audit reports, backup tests, and vendor due diligence (like Business Associate Agreements).
Additionally, ensure you retain signed training acknowledgments, policy documents, and immutable audit logs (such as those from Opus Behavioral Health EHR) for a minimum of six years.
