Free HIPAA risk assessment tool

Check your safeguards against the HIPAA Security Rule the way regulators expect. Answer a short checklist across administrative, physical, and technical safeguards, starting with the required risk analysis (45 CFR §164.308(a)(1)(ii)(A)). See your risks and recommendations build as you go, then download the report as Word or PDF. Everything runs locally in your browser, so no data leaves your device and no sign-up is needed.

Assessment details

Organization

Administrative safeguards

Physical safeguards

Technical safeguards

Preview

HIPAA SECURITY RISK ASSESSMENT

Organization: [Organization Name]

Assessed by: [Assessor Name]

Date: [Assessment Date]

Summary

This assessment covers 14 HIPAA safeguard requirements: 0 in place, 0 partially in place, and 0 not in place, with 14 not yet answered.

Administrative Safeguards

Documented security risk analysis of all systems that create, receive, maintain, or transmit ePHI (45 CFR 164.308(a)(1)(ii)(A)) — Not answered.

A designated Security Official responsible for the security program (45 CFR 164.308(a)(2)) — Not answered.

Security awareness and training for all workforce members (45 CFR 164.308(a)(5)) — Not answered.

A written sanction policy for workforce members who violate security policies (45 CFR 164.308(a)(1)(ii)(C)) — Not answered.

A contingency plan with data backup and disaster recovery for ePHI (45 CFR 164.308(a)(7)) — Not answered.

Physical Safeguards

Controlled and documented physical access to facilities that house ePHI systems (45 CFR 164.310(a)(1)) — Not answered.

Policies for proper workstation use and positioning to protect ePHI (45 CFR 164.310(b)-(c)) — Not answered.

Tracking and control of hardware and electronic media that hold ePHI (45 CFR 164.310(d)(1)) — Not answered.

Secure disposal of ePHI and the media it is stored on (45 CFR 164.310(d)(2)(i)) — Not answered.

Technical Safeguards

A unique user ID for every person who accesses systems containing ePHI (45 CFR 164.312(a)(2)(i)) — Not answered.

Audit controls that record and examine activity in systems with ePHI (45 CFR 164.312(b)) — Not answered.

Encryption of ePHI when stored at rest (45 CFR 164.312(a)(2)(iv)) — Not answered.

Encryption of ePHI when transmitted over networks (45 CFR 164.312(e)(2)(ii)) — Not answered.

Automatic logoff and session timeouts on systems that access ePHI (45 CFR 164.312(a)(2)(iii)) — Not answered.

Generated by BlockSurvey

How the HIPAA risk assessment tool works

3 steps · runs entirely in your browser

1

Answer the checklist

Enter your organization and work through short questions on administrative, physical, and technical safeguards, marking each as in place, partially in place, or not in place.

2

Review the live report

Watch the assessment build in real time, with a risk level and a plain-language recommendation for every gap.

3

Download and act

Export a ready-to-file PDF or an editable Word report. Nothing you enter ever leaves your device.

Free, secure, and HIPAA-standard by default

A risk assessment should not cost you a paywall or ship a picture of your security gaps to someone else's server. This checklist follows the risk analysis requirement of 45 CFR §164.308:

01

100% in-browser

The report is built on your device; nothing is uploaded.

02

No account required

No sign-up, no email wall, no tracking.

03

Free, real download

The complete report as Word or PDF at no cost, not a watermarked sample.

What a HIPAA risk analysis must cover

Under the risk analysis requirement, a thorough assessment of ePHI should:

  1. Identify the reasonably anticipated threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  2. Assess the current security measures already in place to guard against those threats.
  3. Determine the likelihood that each threat could occur and the impact it would have.
  4. Assign a risk level to each finding so remediation can be prioritized.
  5. Document the findings and a remediation plan, and revisit them as your environment changes.

Built for every healthcare organization

A risk analysis is required no matter your size, and it is the first thing an auditor asks for. This tool gives you a clear, dated starting point, and it works alongside HIPAA-compliant survey software when you collect health data through forms.

Solo & small practices

Run a required risk analysis without a compliance team.

Multi-location groups

Assess safeguards the same way across every site.

Digital health startups

Find your security gaps before you scale or raise.

SaaS & tech vendors

Show the controls that protect the PHI you touch.

Billing companies & MSOs

Document safeguards for the records you handle.

Nonprofits & community clinics

Meet the risk analysis requirement on a tight budget.

Collecting PHI through forms or surveys?

HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered too.

More free HIPAA tools

Explore more

Frequently asked questions

What is a HIPAA security risk assessment?

A HIPAA security risk assessment is a documented review of how your organization protects electronic protected health information (ePHI). You look at the administrative, physical, and technical safeguards in the HIPAA Security Rule, decide which ones are in place, and identify the gaps that could expose patient data. The Security Rule requires a risk analysis under 45 CFR 164.308(a)(1)(ii)(A), and this tool walks you through a plain-language version of that review.

Who has to do a HIPAA risk assessment?

Every covered entity and business associate that handles ePHI must conduct a risk analysis. That includes solo practices, clinics, hospitals, billing companies, digital health startups, and any vendor that stores or transmits health data for a healthcare client. The size of your organization changes the scope of the assessment, not whether you need one.

How often should I run a risk assessment?

HIPAA does not set a fixed calendar, but regulators expect the analysis to be ongoing. Run it at least once a year and again whenever something material changes, such as new software, a move to the cloud, a merger, a new location, or a security incident. Keeping dated copies of each assessment shows a pattern of continuous review.

What does this tool check?

It covers 14 core requirements from the HIPAA Security Rule across three areas: administrative safeguards such as the risk analysis, a designated Security Official, workforce training, a sanction policy, and a contingency plan; physical safeguards such as facility access, workstation use, device and media controls, and secure disposal; and technical safeguards such as unique user IDs, audit controls, encryption at rest and in transit, and automatic logoff. For each item you mark whether it is in place, partially in place, or not in place, and the report flags the risk level and a recommendation.

Do you store the answers I enter?

No. The whole report is assembled locally in your browser. Your organization name, the answers you select, and the resulting report are never sent to or stored on any server, which is why no sign-up is required.

Is this a substitute for legal advice?

No. This tool produces a starting-point self-assessment based on the safeguards in the HIPAA Security Rule, but it is not legal advice and does not cover every requirement that may apply to your organization. A complete risk analysis also weighs the specific threats to your systems, your business associate relationships, and applicable state law. Have a qualified compliance professional or attorney review your assessment and remediation plan.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.