Free HIPAA risk assessment tool
Check your safeguards against the HIPAA Security Rule the way regulators expect. Answer a short checklist across administrative, physical, and technical safeguards, starting with the required risk analysis (45 CFR §164.308(a)(1)(ii)(A)). See your risks and recommendations build as you go, then download the report as Word or PDF. Everything runs locally in your browser, so no data leaves your device and no sign-up is needed.
Assessment details
Organization
Administrative safeguards
Physical safeguards
Technical safeguards
HIPAA SECURITY RISK ASSESSMENT
Organization: [Organization Name]
Assessed by: [Assessor Name]
Date: [Assessment Date]
Summary
This assessment covers 14 HIPAA safeguard requirements: 0 in place, 0 partially in place, and 0 not in place, with 14 not yet answered.
Administrative Safeguards
Documented security risk analysis of all systems that create, receive, maintain, or transmit ePHI (45 CFR 164.308(a)(1)(ii)(A)) — Not answered.
A designated Security Official responsible for the security program (45 CFR 164.308(a)(2)) — Not answered.
Security awareness and training for all workforce members (45 CFR 164.308(a)(5)) — Not answered.
A written sanction policy for workforce members who violate security policies (45 CFR 164.308(a)(1)(ii)(C)) — Not answered.
A contingency plan with data backup and disaster recovery for ePHI (45 CFR 164.308(a)(7)) — Not answered.
Physical Safeguards
Controlled and documented physical access to facilities that house ePHI systems (45 CFR 164.310(a)(1)) — Not answered.
Policies for proper workstation use and positioning to protect ePHI (45 CFR 164.310(b)-(c)) — Not answered.
Tracking and control of hardware and electronic media that hold ePHI (45 CFR 164.310(d)(1)) — Not answered.
Secure disposal of ePHI and the media it is stored on (45 CFR 164.310(d)(2)(i)) — Not answered.
Technical Safeguards
A unique user ID for every person who accesses systems containing ePHI (45 CFR 164.312(a)(2)(i)) — Not answered.
Audit controls that record and examine activity in systems with ePHI (45 CFR 164.312(b)) — Not answered.
Encryption of ePHI when stored at rest (45 CFR 164.312(a)(2)(iv)) — Not answered.
Encryption of ePHI when transmitted over networks (45 CFR 164.312(e)(2)(ii)) — Not answered.
Automatic logoff and session timeouts on systems that access ePHI (45 CFR 164.312(a)(2)(iii)) — Not answered.
Generated by BlockSurvey
How the HIPAA risk assessment tool works
3 steps · runs entirely in your browser
Answer the checklist
Enter your organization and work through short questions on administrative, physical, and technical safeguards, marking each as in place, partially in place, or not in place.
Review the live report
Watch the assessment build in real time, with a risk level and a plain-language recommendation for every gap.
Download and act
Export a ready-to-file PDF or an editable Word report. Nothing you enter ever leaves your device.
Free, secure, and HIPAA-standard by default
A risk assessment should not cost you a paywall or ship a picture of your security gaps to someone else's server. This checklist follows the risk analysis requirement of 45 CFR §164.308:
100% in-browser
The report is built on your device; nothing is uploaded.
No account required
No sign-up, no email wall, no tracking.
Free, real download
The complete report as Word or PDF at no cost, not a watermarked sample.
What a HIPAA risk analysis must cover
Under the risk analysis requirement, a thorough assessment of ePHI should:
- Identify the reasonably anticipated threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Assess the current security measures already in place to guard against those threats.
- Determine the likelihood that each threat could occur and the impact it would have.
- Assign a risk level to each finding so remediation can be prioritized.
- Document the findings and a remediation plan, and revisit them as your environment changes.
Built for every healthcare organization
A risk analysis is required no matter your size, and it is the first thing an auditor asks for. This tool gives you a clear, dated starting point, and it works alongside HIPAA-compliant survey software when you collect health data through forms.
Solo & small practices
Run a required risk analysis without a compliance team.
Multi-location groups
Assess safeguards the same way across every site.
Digital health startups
Find your security gaps before you scale or raise.
SaaS & tech vendors
Show the controls that protect the PHI you touch.
Billing companies & MSOs
Document safeguards for the records you handle.
Nonprofits & community clinics
Meet the risk analysis requirement on a tight budget.
Collecting PHI through forms or surveys?
HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered too.