Most developers I know hit "you need a HIPAA security risk assessment" and picture a $1,500 consultant engagement built around a 40-page Word template. That's one way to do it. But the assessment itself isn't mysterious. It's a fixed set of questions, and you can answer most of them yourself in an afternoon once you know what they are.
Here's the actual structure. If you'd rather just click through it, there's a free no-signup version that runs the same 18 questions in your browser and hands back a gap list: free HIPAA Security Risk Assessment self-check. Nothing leaves the page, so you can run it against a real system without filling in a lead form first.
The HIPAA Security Rule (45 CFR 164) splits into three families. What each one is really asking:
Administrative safeguards
The biggest bucket, and the one people skip because none of it is technical. Have you actually written down a risk analysis (the thing you're doing right now counts). Is someone named as the security official. Do you train the people who touch PHI. Do you have an incident response plan you've read in the last year. And the one that bites SaaS teams: do you have signed BAAs with every downstream vendor that sees PHI. Your cloud provider, your error tracker, your transactional email service. Each one separately.
Physical safeguards
Short section, easy to underweight if your team is fully remote. Who can physically reach the machines PHI sits on. How are workstations positioned, can someone in a waiting room read a screen over a shoulder. What happens to a laptop or drive when it's decommissioned. "We're in the cloud" doesn't zero this out; your laptops are still endpoints.
Technical safeguards
The part developers are most comfortable with, which is exactly why it's worth checking you didn't assume your way past it. Unique logins per user, no shared admin account. Encryption at rest and in transit. Audit logs that record who accessed what. Authentication that actually verifies identity. The gap I see most often is logging that exists but that nobody could query if an investigator asked "who opened this record on March 3rd."
Why the assessment matters more than the BAA people fixate on: a signed business associate agreement moves liability around, but it doesn't tell you where your gaps are. The risk analysis is the only artifact that does, and it's among the first things requested in basically every OCR settlement on record. "We assumed we were fine" is not an answer that survives that request.
Run it honestly. "In progress" is a valid answer and a more useful one than pretending everything's in place, the output is a list of what isn't done yet, which is the entire point. Then decide whether you need the consultant. For a lot of small teams, the answer after seeing the gap list is "we can close most of these ourselves."
Top comments (0)