Regardless of the risk analysis methodology employed, your work must include these elements, HHS / OCR provided final guidance on completing a HIPAA Security Risk Analysis (45 C.F.R. § 164.308(a)(1)).  Regardless of methodology (and some don’t make the grade!), HHS/OCR cites nine (9) essential elements that must be included in your risk analysis.  Here’s a big tip – Check out the Clearwater Risk Analysis ToolKit™ ! …


The Clearwater Risk Analysis ToolKit™ methodology incorporates all essential HHS/OCR-specified elements of a risk analysis and extends beyond these requirements in several areas.  Below, the Clearwater Risk Analysis Phases and sub-phases are mapped to the nine (9) HHS/OCR essential elements:




Clearwater Risk Analysis ToolKit™

HHS/OCR elements of a Risk Analysis

  1. 1.      Inventory Phase

1.1.   Inventory information assets, especially those handling ePHI

1.2.   Document their present security controls and criticality of the applications and their data

  1. 1.      Scope of the Analysis
  2. 2.      Data Collection

Our Risk Analysis methodology includes inventory forms and instructions for capturing all relevant details about ePHI.

  1. 2.      Risk Determination Phase

2.1.   Identify threats in the environment

2.2.   Identify vulnerabilities that threats could exploit

2.3.   Describe the risks based on threat/vulnerability pairings

2.4.   Identify existing controls

2.5.   Determine the likelihood that a threat could exploit a vulnerability

2.6.   Analyze the severity of the impact if the threat were to successfully exploit the vulnerability(s)

2.7.   Determine and summarize the risk level

In addition to addressing all the HHS/OCR requirements, our Risk Analysis methodology iterates through the risk planning process taking into account implementing controls or safeguards and recalculating risk.



  1. 3.      Identify and Document Potential Threats and Vulnerabilities
  2. 4.      Assess Current Security Measures
  3. 5.      Determine the Likelihood of Threat Occurrence
  4. 6.      Determine the Potential Impact of Threat Occurrence
  5. 7.      Determine the Level of Risk


Our Risk Analysis methodology facilitates informed decision making about risk management actions.  Forms and instructions capture essential documentation throughout the process.

  1. 3.      Risk Remediation Phase

3.1.   Recommend risk mitigation strategies for each risk

3.2.   Implement applicable controls to mitigate risk

3.3.   Determine residual likelihood that a threat could attack a vulnerability

3.4.   Analyze the residual severity of the impact

3.5.   Determine and report residual risk to senior management

  1. 4.      Documentation Phase

4.1.   Generate HIPAA Risk Analysis Executive Summary

4.2.   Monitor changes in the environment, information systems, and security technology

4.3.   Update the risk analysis; and implement any other controls

  1. 8.      Finalize Documentation
  2. 9.      Periodic Review and Updates to the Risk Assessment

Our Risk Analysis methodology includes forms, templates and instructions to create appropriate documentation and management reporting.





The Clearwater HIPAA Security Risk Analysis ToolKit™ includes a robust set of worksheets and templates to help you complete your risk analysis.

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:


Series Navigation<< HIPAA Security Risk Analysis Tips – Risk Analysis White PaperHIPAA Security Risk Analysis Tips – Present Security Controls >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.