// NOTE · MAY 13, 2026
What a HIPAA security risk assessment actually looks like in a 3-provider practice
// Draft
This article is in progress. The opening section below is the published portion; the remaining sections are outlined to give you a sense of what's coming. Have a question that can't wait? Send a message.
Every small medical practice I work with knows they're supposed to do a HIPAA security risk assessment. Most have either downloaded a template designed for a 400-bed hospital, paid a consultant for something they can't actually use, or done nothing at all and hoped no one would ask. None of those are unreasonable — the available guidance genuinely is bad for organizations under twenty people.
The Security Rule itself is short. The hard part is translating “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” into something a three-provider practice can actually do in a couple of afternoons and a couple of follow-up phone calls. That's what this piece is about: what the assessment looks like in real life, the seven questions that drive most of the value, and the three findings that show up at almost every practice I've looked at.
I'm going to skip the legal commentary. This is security and compliance guidance from someone who builds and breaks systems for small businesses — your healthcare attorney is the right person to tell you what HHS will accept in a specific enforcement situation. What I can tell you is what the work itself looks like, so you can either do it yourself or know what you're paying for when someone else does.
What this article covers
- 01
Where ePHI actually lives (and where you didn't realize it does)
It's never just the EHR. ePHI lives in email inboxes, scanned-PDF folders on staff laptops, voicemail transcripts, the photocopier's hard drive, and the appointment-reminder text messages that route through a third-party service you signed up for two years ago. The first hour of any real assessment is a data-flow inventory.
- 02
The seven questions worth starting with
Who has admin access to email? Is MFA enforced everywhere or just on the EHR? When was the last successful backup restore test? Who has remote access and how is it controlled? Where does scanned-PDF intake end up? Which vendors actually touch ePHI? When someone leaves the practice, what's the offboarding checklist?
- 03
The three findings you'll almost certainly have
Backups exist but restores haven't been tested. MFA is partially deployed but a few admin accounts slipped through. Old staff offboarding left orphaned access in at least one cloud service. These three together account for the majority of ransomware and account-takeover incidents at practices this size.
- 04
What 'documenting' actually means
You don't need a 200-page binder. You need a written record that shows you identified risks, ranked them, and made a deliberate decision about each one. A six-page document covering scope, methodology, findings, decisions, and a remediation plan is more defensible than a thick binder of generic policies.
- 05
How long this takes (and what it should cost)
For a three-provider practice using a cloud EHR and Microsoft 365, the assessment itself is typically 4–8 hours of consultant time plus 2–3 hours of practice-side discovery work. The remediation that follows is the expensive part; the assessment should not be.
- 06
When to redo it
Annually is the conventional answer; the right answer is whenever your environment changes materially. New EHR, new building, new remote-work policy, new vendor relationship, or a security incident — any of these resets the clock.