ePHI Risk Assessment
Overview
The ePHI Risk Assessment is a focused security review designed to help healthcare organizations understand how electronic Protected Health Information is created, received, maintained, transmitted, stored, and accessed across the business.
The assessment is intended for small healthcare practices, clinics, specialty providers, and healthcare-adjacent organizations that need a practical, plain-language review of patient data risk and HIPAA Security Rule alignment.
The goal is not to create paperwork for its own sake. The goal is to identify meaningful risks, prioritize action, and provide leadership with a clear remediation path.
Assessment Objectives
The ePHI Risk Assessment helps organizations:
- Identify where ePHI exists across the organization
- Understand who has access to patient data
- Review administrative, physical, and technical safeguards
- Identify security gaps that may increase breach risk
- Prioritize risks based on likelihood and impact
- Support HIPAA Security Rule compliance expectations
- Create a practical remediation roadmap
Scope of Services
1. ePHI Data Discovery Review
Review how patient data moves through the organization.
Activities include:
- Identify systems that store or process ePHI
- Review patient intake and registration workflows
- Review billing, scheduling, and clinical documentation workflows
- Identify email, file storage, cloud, and device usage involving ePHI
- Identify vendors and third parties that may handle ePHI
Deliverables:
- ePHI Data Flow Summary
- System and Vendor Inventory
2. HIPAA Security Rule Safeguards Review
Evaluate the organization’s safeguards against key HIPAA Security Rule expectations.
Areas reviewed include:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Workforce access practices
- Security management processes
- Incident response readiness
- Backup and recovery practices
- Business associate oversight
Deliverables:
- HIPAA Security Rule Review Summary
- Safeguards Gap Analysis
3. Access and User Management Review
Review how access to patient data is granted, modified, and removed.
Activities include:
- Review user access processes
- Review role-based access practices
- Review inactive account handling
- Review shared account usage
- Review password and MFA practices
- Review termination and role-change procedures
Deliverables:
- Access Management Findings
- Recommended Access Control Improvements
4. Policy and Documentation Review
Review existing security documentation and identify missing or outdated materials.
Typical documents reviewed include:
- Information Security Policy
- Access Control Policy
- Incident Response Policy
- Backup and Recovery Policy
- Mobile Device Policy
- Acceptable Use Policy
- Business Associate Agreement tracking
- Security awareness training records
Deliverables:
- Policy Review Summary
- Documentation Gap List
5. Risk Identification and Analysis
Identify risks that could impact the confidentiality, integrity, or availability of ePHI.
Activities include:
- Identify threats and vulnerabilities
- Assess likelihood and business impact
- Score and prioritize risks
- Document existing safeguards
- Recommend remediation actions
Deliverables:
- Risk Register
- Prioritized Findings List
6. Remediation Roadmap
Create a practical action plan for reducing risk.
The roadmap includes:
- High-priority remediation items
- Recommended owners
- Suggested timelines
- Quick wins
- Longer-term improvement opportunities
Deliverables:
- Remediation Roadmap
- Executive Summary
Final Deliverables
At the conclusion of the assessment, the customer receives:
- ePHI Risk Assessment Report
- Executive Summary
- ePHI Data Flow Summary
- System and Vendor Inventory
- HIPAA Security Rule Gap Summary
- Risk Register
- Remediation Roadmap
- Policy and Documentation Gap List
Customer Responsibilities
Customer will:
- Designate a primary point of contact
- Provide requested documentation
- Identify key staff for interviews
- Provide system and vendor information
- Coordinate access to IT support personnel, if applicable
- Review findings and approve remediation priorities
Out of Scope
The following services are not included unless separately agreed:
- Penetration testing
- Vulnerability scanning
- Managed IT services
- Technical remediation implementation
- Legal advice
- Breach notification services
- Digital forensics
- Security monitoring
- Cyber insurance claim support
- Development of custom software or integrations
Typical Assessment Cadence
| Activity |
Timing |
| Kickoff Call |
Week 1 |
| Documentation Request |
Week 1 |
| Staff Interviews |
Week 1–2 |
| Safeguards Review |
Week 2 |
| Risk Analysis |
Week 2–3 |
| Draft Findings Review |
Week 3 |
| Final Report Delivery |
Week 3–4 |
| Executive Readout |
Week 4 |
Ideal Customer Profile
This service is designed for:
- Small medical practices
- Dental offices
- Therapy and behavioral health providers
- Specialty clinics
- Healthcare startups
- Billing or administrative service providers
- Organizations that handle patient information but do not have a dedicated security team
Assessment Outcome
By the end of the assessment, leadership should have a clear understanding of:
- Where patient data exists
- Which systems and vendors create the most risk
- Which safeguards are working
- Which security gaps need attention
- What actions should be taken first
- How to demonstrate ongoing HIPAA Security Rule diligence
The ePHI Risk Assessment provides a practical foundation for improving security, reducing patient data risk, and building a more mature compliance program over time.