HIPAA Security Risk Assessment: What San Diego Healthcare Practices Need to Know

The One Requirement OCR Fines for More Than Any Other

If your healthcare practice handles protected health information and you have not completed a formal HIPAA security risk assessment, you are already out of compliance. It is not a recommendation. It is not a best practice. It is a federal requirement under 45 CFR 164.308(a)(1)(ii)(A), and the Office for Civil Rights has made it the single most cited deficiency in enforcement actions.

Between 2020 and 2025, OCR settled more cases involving a missing or incomplete risk assessment than any other HIPAA violation category. The penalties ranged from $25,000 for small practices to over $4.3 million for organizations that should have known better. The pattern is consistent: practices that never performed the assessment, or performed it once years ago and never updated it, paid the largest fines.

For small medical and dental practices across San Diego, this is not an abstract regulatory concern. It is a financial exposure that can end a practice. Here is what the assessment requires, where most practices fall short, and what to do about it.

What a HIPAA Security Risk Assessment Is (and What It Is Not)

A HIPAA security risk assessment is a systematic evaluation of every place your practice creates, receives, stores, or transmits electronic protected health information (ePHI). It identifies what could go wrong, how likely it is to happen, and what the impact would be if it did.

It is not a checklist. It is not a questionnaire your EHR vendor emailed you during onboarding. It is not a scan from an IT provider that lists software vulnerabilities. Those tools can support a risk assessment, but none of them satisfy the requirement on their own.

OCR has been explicit about this. A risk assessment must be thorough, documented, and specific to your practice. A generic template downloaded from the internet does not meet the standard, because it does not reflect your systems, your workflows, or your threat environment.

The Six Elements OCR Expects to See

OCR does not publish a rigid template, but enforcement actions and published guidance make clear what the assessment must cover. Every risk assessment should address these six areas.

1. Identify Where ePHI Lives

Before you can protect patient data, you need to know where it is. This means documenting every system, device, and location that touches ePHI: your EHR system, billing software, email accounts, laptops, tablets, mobile phones, paper records that were scanned, cloud storage, backup drives, and any third-party platform that processes patient information.

Most practices undercount. The EHR is obvious. The billing system is obvious. The front desk computer where staff sometimes email patient records as PDF attachments is less obvious but equally important.

2. Identify Threats and Vulnerabilities

A threat is anything that could exploit a weakness in your systems. A vulnerability is the weakness itself. Your assessment needs to list both, specific to your environment.

Common threats for San Diego healthcare practices include phishing emails targeting front desk staff, ransomware delivered through malicious attachments, unauthorized access from former employees whose accounts were never disabled, and physical theft of devices from vehicles or unlocked offices.

Common vulnerabilities include shared passwords among staff, unencrypted laptops, outdated operating systems that no longer receive security patches, and the absence of multi-factor authentication on systems that contain patient records.

3. Assess Current Security Controls

Document what protections you already have in place. This includes access controls, encryption, audit logging, physical security, workforce training, and backup procedures. Be honest about what exists and what does not. An assessment that claims everything is in place when it is not will create more liability than having no assessment at all.

4. Determine the Likelihood of Each Threat

Not every threat carries the same probability. A phishing attack against a practice with no email filtering and no staff training is far more likely than a physical break-in at a building with keycard access and security cameras. Rate each threat scenario on a scale (high, medium, low) based on your specific controls and environment.

5. Determine the Impact of Each Threat

If the threat materializes, what happens? A ransomware attack that encrypts your EHR and you have no backup is a high-impact event that could shut down your practice for days or weeks. A phishing email that is caught by your spam filter before anyone sees it is low impact. Rate each scenario.

6. Calculate and Prioritize Risk

Combine the likelihood and impact ratings to produce a risk level for each scenario. High likelihood combined with high impact is your top priority. Low likelihood combined with low impact goes to the bottom of the list. This gives you a clear, defensible roadmap for where to spend your security budget first.

The Three Mistakes I See Most Often

Mistake 1: Treating It as a One-Time Event

HIPAA requires the risk assessment to be updated regularly. OCR does not specify an exact interval, but the standard expectation is at least annually and whenever a significant change occurs in your practice: a new EHR system, a new office location, a staffing change that affects access controls, or a security incident.

Practices that performed a risk assessment in 2021 and never touched it again are not compliant. The threat landscape changes. Your systems change. Your staff changes. The assessment must reflect reality, not a snapshot from three years ago.

Mistake 2: Relying on the EHR Vendor to Handle It

Your EHR vendor is responsible for the security of their platform. They are not responsible for the security of your entire practice. The risk assessment covers your network, your devices, your physical office, your staff behavior, your backup procedures, and every other system that touches patient data. The vendor cannot assess what they do not control.

Some vendors provide risk assessment tools or questionnaires as part of their compliance package. These can be a useful starting point, but they are not a substitute for a comprehensive assessment that covers your full environment.

Mistake 3: Confusing a Security Scan with a Risk Assessment

IT providers sometimes run automated vulnerability scans and present the output as a HIPAA risk assessment. A vulnerability scan identifies technical weaknesses in your systems: missing patches, open ports, outdated software. That is valuable information, but it covers only one piece of the assessment.

A risk assessment also evaluates administrative safeguards (policies, training, access management), physical safeguards (facility access, workstation security, device disposal), and the human element (who has access to what, and why). A scan cannot evaluate whether your staff knows how to recognize a phishing email or whether your terminated employees still have active login credentials.

What OCR Penalties Look Like for San Diego Practices

OCR operates a tiered penalty structure. The lowest tier, for violations where the practice did not know and could not have reasonably known, starts at $137 per violation with a calendar year cap of $68,928. The highest tier, for willful neglect that is not corrected within 30 days, reaches $2,067,813 per violation with a calendar year cap of $2,067,813.

For small practices, the financial exposure is severe. A single breach affecting 500 or more individuals triggers mandatory OCR investigation. If the investigation reveals that no risk assessment was performed, the penalty is almost guaranteed to fall in the upper tiers, because the absence of a risk assessment is treated as willful neglect of a known requirement.

The cost of performing a proper risk assessment is a fraction of the cost of a single OCR penalty. For most small practices, the gap between compliant and non-compliant is not budget. It is awareness.

How to Get Started

If your practice has never completed a HIPAA security risk assessment, or if the last one was more than 12 months ago, the time to act is now. Here is the minimum path to get compliant.

Step 1: Inventory every system, device, and location where ePHI is created, received, stored, or transmitted. Include cloud services, mobile devices, and any paper-to-digital workflows.

Step 2: Identify the threats and vulnerabilities specific to your practice. Do not copy a generic list. Walk through your office, talk to your staff, and document what you find.

Step 3: Rate each risk by likelihood and impact. Be honest. The assessment is for your protection, not for show.

Step 4: Create a remediation plan with clear priorities, responsible parties, and target dates. High-risk items go first.

Step 5: Document everything and retain it. Set a calendar reminder to review and update the assessment in 12 months.

If this process feels outside your expertise, that is a normal reaction. Most healthcare professionals did not enter medicine to become cybersecurity experts. That is where a consultant with healthcare security experience adds the most value: translating the requirement into a clear, actionable plan that protects your practice and your patients.