SG SideGuy
Tech-Help · Clarity Before Cost
Text PJ

🛡️ COMPLIANCE · HIPAA RISK ASSESSMENT

How to do a HIPAA risk assessment — the operator steps.

The Security Risk Assessment is required under the HIPAA Security Rule, and it's the first thing a regulator or a serious client asks to see. It's not a form you buy — it's work you do. Here's the operator-honest version.

↓ Start the 60-second triage Text PJ instead

Operator-honest tech-help · no jargon · no upsell to something you don't need.

The risk-assessment steps

Work these in order · step 1 is the one most people skip and then can't recover from

  • Inventory where PHI actually lives. List every system, app, server, laptop, phone, backup, and third-party vendor that creates, receives, stores, or transmits PHI. You cannot assess risk to data you haven't located — and "we think it's only in the database" is almost never true once you look. This map is the foundation; everything else builds on it.
  • Identify the threats and vulnerabilities. For each PHI location, name what could go wrong: a stolen laptop, a phished credential, a misconfigured cloud bucket, a vendor breach, ransomware, an unencrypted backup. Be concrete — "hackers" is not a threat you can plan against; "a laptop with PHI and no disk encryption" is.
  • Assess the safeguards already in place. For each threat, document what currently protects against it — encryption in transit and at rest, access controls, audit logging, MFA, automatic logoff, training. This is an honest inventory of reality, not the safeguards you intend to add. The gap between the two is your risk.
  • Rate each risk — likelihood and impact. For every gap, judge how likely it is and how bad it would be. A high-likelihood, high-impact gap (PHI in unencrypted email) outranks a low one. Rating is what turns a list of worries into a priority order you can actually act on.
  • Write the remediation plan. For each meaningful risk: what you'll do, who owns it, and by when. A risk assessment with no remediation plan is just a list of problems — the plan is the part that proves you're managing risk, not merely aware of it.
  • Document it all — and set a review cadence. Write it down: the inventory, the threats, the ratings, the plan, the decisions. Then schedule the next review — at least annually, and after any major change (new system, new vendor, an incident). The document is the evidence; the cadence is what keeps it true.

🛡️ The deeper fix · SideGuy builds it

A risk assessment that stays alive

SideGuy is the operator layer that runs your Security Risk Assessment and keeps it current — re-checking it when you add a system, swap a vendor, or hire, instead of letting it rot in a folder until an audit. The assessment is real work; staying current is the work that actually protects you.

It starts with a $250 Operator Audit — a real first-pass Security Risk Assessment of your stack with an operator-honest read on your top gaps. The first hour is free. Text PJ and we'll scope it.

📲 Text PJ — run my HIPAA risk assessment

Common questions (answered honestly)

Is a HIPAA risk assessment legally required?
Yes. The HIPAA Security Rule requires Covered Entities and Business Associates to conduct an accurate, thorough risk analysis of the risks to electronic PHI — and to keep it current. It is the first piece of evidence regulators ask for, and the most common finding when it's missing or stale.
How often should I redo it?
At minimum annually, and again after any major change — a new system, a new vendor in the PHI path, a reorganization, or a security incident. A risk assessment that no longer describes your actual stack offers no protection, regardless of how thorough it was when written.
Can I just use a template or a free SRA tool?
A template or the free Security Risk Assessment tool can give you structure, but they cannot inventory your specific systems or judge your real risks for you. The hard, valuable part — locating PHI and rating actual gaps — is work only someone who looks at your stack can do.
What's the fastest way to get a real one started?
A focused first-pass assessment of your actual stack. SideGuy's $250 Operator Audit produces exactly that — a real Security Risk Assessment first pass with your top gaps named, operator-honest. Text PJ.

Know someone staring down a HIPAA risk assessment? Send them the steps.

🏝️ More from NC SD
Encinitas· Cardiff-by-the-Sea· Solana Beach· Del Mar· Carlsbad· La Jolla· Compliance hub· AI Marketing Help

HIPAA risk assessment · written by PJ Zonis · Solana Beach, CA · last reviewed 2026-05-24 · Is my SaaS HIPAA compliant? · Start your compliance build today · sideguysolutions.com

PJ Text PJ →858-461-8054