OCR's #1 finding in HIPAA enforcement actions is 'failure to conduct an accurate and thorough risk analysis' — Anthem ($16M), Premera ($6.85M), and BCBS Tennessee ($1.5M) all settled on this. §164.308(a)(1)(ii)(A) requires a documented risk analysis covering ePHI confidentiality, integrity, and availability. This 25-row register covers the threats every Covered Entity and Business Associate must analyse.
NIST 800-30 aligned: Likelihood (1–5) × Impact (1–5). OCR explicitly recommends NIST 800-30. Risks scoring 15+ are unacceptable; safeguards must reduce residual to ≤9 or be documented as accepted.
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-01 | Insufficient workforce training | New staff handle PHI before training | 4×4=16 | Pre-access mandatory HIPAA training; annual refresher; documented in HRIS. | 2×3=6 | Mitigate | Privacy Officer | §164.308(a)(5) |
| R-02 | Sanction policy not enforced | Violations not addressed; tone problem | 3×3=9 | Documented sanction policy; HR partnership for enforcement; tracked register. | 2×2=4 | Mitigate | HR | §164.308(a)(1)(ii)(C) |
| R-03 | Business Associate non-compliance | Sub-BAs operate without BAA or with non-compliant terms | 4×5=20 | BAA repository; pre-onboarding security review; annual recertification. | 2×4=8 | Mitigate | Privacy Officer | §164.308(b) / §164.504(e) |
| R-04 | Inadequate contingency plan | No tested DR plan for PHI systems | 3×5=15 | Documented Contingency Plan w/ data-backup, DR, emergency-mode, testing, app-criticality. | 2×4=8 | Mitigate | Security Officer | §164.308(a)(7) |
| R-05 | Audit controls not reviewed | Logs collected but never analysed | 4×4=16 | SIEM w/ alerting on PHI access patterns; weekly review of high-risk events. | 2×3=6 | Mitigate | Security Officer | §164.308(a)(1)(ii)(D) |
| R-06 | Risk analysis not updated | Risk analysis from 5 years ago | 4×5=20 | Annual risk analysis + after material changes; documented and reviewed by management. | 2×4=8 | Mitigate | Security Officer | §164.308(a)(1)(ii)(A) |
| R-07 | Termination procedure failure | Departing staff retain ePHI access | 4×5=20 | Same-day deprovisioning checklist tied to HRIS termination; recovery of devices/credentials. | 2×3=6 | Mitigate | HR + IT | §164.308(a)(3)(ii)(C) |
| R-08 | Information system activity review missing | No review of who accessed which patient | 4×4=16 | Quarterly access review; patient-record audit on demand. | 2×3=6 | Mitigate | Privacy Officer | §164.308(a)(1)(ii)(D) |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-09 | Workstation theft / loss | Unencrypted laptop with ePHI stolen | 4×5=20 | Full-disk encryption mandatory; MDM enrolment; laptop register. | 2×3=6 | Mitigate | IT | §164.310(c) / §164.310(d) |
| R-10 | Unauthorised facility access | Tailgating into clinical area | 3×4=12 | Badged entry, visitor escort, CCTV at sensitive zones. | 2×3=6 | Mitigate | Facilities | §164.310(a)(1) |
| R-11 | Improper media disposal | Hard drives discarded without sanitisation | 3×5=15 | NIST 800-88 sanitisation; certificate of destruction; chain-of-custody log. | 1×3=3 | Mitigate | IT | §164.310(d)(2)(i) |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-12 | Unauthorised access to ePHI database | Shared admin accounts; no role-based access | 5×5=25 | Unique user IDs; RBAC; MFA on all PHI systems; quarterly access reviews. | 2×4=8 | Mitigate | IT | §164.312(a)(2)(i) |
| R-13 | Automatic logoff missing | Workstation left unlocked in clinical setting | 4×4=16 | 5-min idle auto-lock; OS-enforced via MDM. | 2×3=6 | Mitigate | IT | §164.312(a)(2)(iii) |
| R-14 | Unencrypted ePHI at rest | Database in clear text | 3×5=15 | AES-256 at rest; KMS-managed keys; verified annually. | 1×4=4 | Mitigate | SRE | §164.312(a)(2)(iv) |
| R-15 | Unencrypted ePHI in transit | Email sent in clear text to external party | 4×5=20 | TLS 1.2+ enforced; secure portal for external sharing. | 2×4=8 | Mitigate | IT | §164.312(e)(2)(ii) |
| R-16 | Audit logs incomplete | PHI access not logged on legacy systems | 4×5=20 | Centralised logging; legacy systems wrapped or replaced; 6-year retention. | 2×4=8 | Mitigate | Security Officer | §164.312(b) |
| R-17 | Data integrity failure | EHR record altered without trail | 3×5=15 | Versioned records; change log immutable; integrity checks on critical fields. | 1×4=4 | Mitigate | Engineering | §164.312(c)(1) |
| R-18 | Person/entity authentication weakness | Password-only access | 5×5=25 | MFA required for all ePHI access (FIDO2 preferred for clinicians). | 2×4=8 | Mitigate | IT | §164.312(d) |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-19 | Unreported breach > 60 days | Discovery-to-notification SLA missed | 3×5=15 | Documented breach playbook w/ 60-day individual / immediate-OCR notification timelines. | 2×4=8 | Mitigate | Privacy Officer | §164.404 / §164.408 |
| R-20 | Insufficient breach risk assessment | 4-factor analysis not documented | 3×4=12 | Standardised 4-factor breach risk assessment template (nature/extent, recipient, acquired, mitigation). | 2×3=6 | Mitigate | Privacy Officer | §164.402 |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-21 | Phishing leading to mailbox compromise | Clinical mailbox = de-facto PHI repository | 5×5=25 | FIDO2 MFA; conditional access; quarterly phishing simulation; mailbox DLP. | 2×4=8 | Mitigate | IT | §164.308(a)(5)(ii)(B) |
| R-22 | Ransomware on EHR | Backups insufficiently isolated | 3×5=15 | Immutable / air-gapped backups; quarterly test-restore; EDR on all endpoints. | 2×4=8 | Mitigate | SRE | §164.308(a)(7)(ii)(A) |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-23 | Use & disclosure beyond minimum necessary | Bulk data exports for analytics include full PHI | 4×4=16 | Minimum-necessary review per use case; de-identification (Safe Harbor or Expert Determination) for analytics. | 2×3=6 | Mitigate | Privacy Officer | §164.502(b) |
| R-24 | Patient access right refused / delayed | 30-day response SLA missed | 3×3=9 | Patient access intake form + tracking; 30-day SLA; documented denial process. | 2×2=4 | Mitigate | Privacy Officer | §164.524 |
| R-25 | Accounting of disclosures incomplete | No log of non-TPO disclosures | 3×3=9 | Disclosure log capturing all non-TPO disclosures w/ recipient, purpose, date. | 2×2=4 | Mitigate | Privacy Officer | §164.528 |
It's a strong starting point aligned with NIST 800-30 (which OCR explicitly recommends), but you must customise it with your own assets — every system, app, and storage location holding ePHI. OCR specifically rejects 'generic templates not adapted to the entity's environment'.
Yes. Since the 2013 Omnibus Rule, BAs are directly liable for the entire Security Rule including risk analysis. Sub-BAs (downstream from a BA) are also liable.
Different framework references and explicit ePHI focus. HIPAA Security Rule has 18 standards & 36 implementation specifications — the register must show how each is met, accepted, or addressed via alternative.
Required = must implement. Addressable = must implement OR document a reasonable alternative providing equivalent protection. Auditors and OCR investigators routinely test the addressable-justification documentation.
Drop your current policy or describe your environment — ComplianceIQ scores every clause against the framework and tells you which register rows are actually mitigated.
Start free HIPAA audit