HIPAA Risk Analysis for San Diego Practices: What to Include

In 2024, U.S. healthcare reported 444 cyber incidents (238 ransomware incidents and 206 data breaches), more than any other critical infrastructure sector.

If you run a medical practice in San Diego, a documented HIPAA risk analysis is required under the Health Insurance Portability and Accountability Act. The HIPAA Security Rule requires every covered entity to evaluate risks to electronic protected health information (ePHI). The Office for Civil Rights within the Department of Health and Human Services enforces this obligation.

The challenge is not understanding the rule. It is keeping the process practical. A HIPAA risk analysis for a San Diego medical practice should document where ePHI lives, who can access it, and how it is protected, then evolve as systems and vendors change.

When maintained, your risk analysis becomes a management tool that supports HIPAA compliance and protects patient privacy without interrupting care.

Key Takeaways

• A HIPAA risk analysis identifies where ePHI resides, who can access it, and how it is safeguarded.
• Common gaps involve access controls, unmanaged devices, insecure sharing, and weak recovery testing.
• Clear scoring, documented remediation, and scheduled reviews keep your healthcare organization audit-ready and HIPAA compliant.

HIPAA risk analysis vs. “security assessment”

By the end of 2024, a record 259 million Americans (about 82% of the population) had their healthcare records reported as hacked.

Risk analysis = identifying and prioritizing risks to ePHI

A risk analysis evaluates how threats, vulnerabilities, and safeguards interact across your environment.

Under the HIPAA Security Rule, a covered entity must assess administrative, physical, and technical safeguards protecting protected health information and ePHI. This includes EHR systems, onboarding and offboarding workflows, remote access, and vendor oversight.

You identify risks such as unauthorized access, lost devices, improper sharing of patient information, or ransomware, then assess likelihood and impact, including operational disruption and breach notification obligations.

For San Diego healthcare providers, this serves as a foundation for regulatory compliance.

Assessment and testing = evaluating controls

Data security assessments test specific controls at a point in time, such as vulnerability scans or configuration reviews.

They help surface technical gaps, but they do not replace a HIPAA security risk assessment.

A scan may detect outdated software. It will not confirm whether access reviews occur regularly, whether a business associate agreement is current, or whether staff training programs reinforce privacy practices.

A HIPAA risk analysis connects technical findings to operational risk.

Why “we have antivirus” is not a risk analysis

Antivirus and encryption are important security measures, but tools alone do not make you HIPAA compliant.

A defensible risk analysis documents why safeguards exist, how they are monitored, and what residual vulnerabilities remain. It records ownership and remediation timelines so you can demonstrate compliance if investigated.

What you must inventory (Systems, data, vendors)

Every medical practice should begin with a comprehensive inventory covering systems, users, devices, and vendors.

This inventory serves as the foundation for sustainable data protection and regulatory compliance.

ePHI locations: EHR, email, file shares, backups, portals

Start with health systems that create, transmit, or store ePHI, including EHR platforms, billing tools, patient portals, email, and cloud backups.

Electronic protected health information may also exist in spreadsheets, scanned records, archived files, and shared drives. Your inventory should reflect actual usage, not assumptions.

Users and roles: staff, clinicians, billing, vendors

Document every role that touches patient data, including clinicians, front desk staff, billing teams, IT support, and contractors.

Role-based access should align with job function. Without periodic review, excess permissions become a hidden risk.

Devices: desktops, laptops, tablets, mobile phones

List all devices that access EHR systems or store patient records.

Encryption, remote wipe capabilities, and enforced patching reduce the likelihood that a lost device becomes a reportable breach notification event.

Third parties: billing, answering services, IT, cloud tools

External vendors that handle PHI must sign a business associate agreement.

Your HIPAA risk analysis should evaluate vendor safeguards and confirm alignment with the HIPAA Privacy Rule and the HIPAA Security Rule. As the covered entity, your medical practice remains accountable.

Typical risk areas to cover

Structured risk analysis is practical risk management.

Access control and authentication

Unique user IDs are required under the HIPAA Security Rule. Shared credentials increase exposure.

Multi-factor authentication reduces unauthorized access and ransomware risk. Access controls should include periodic review, prompt offboarding, and monitoring for unusual login behavior.

Device security, patching, and encryption

Unpatched systems introduce preventable vulnerabilities. Establish consistent patch management for desktops, servers, and EHR environments.

Encrypt portable devices storing ePHI to prevent a reportable data breach under HHS guidance.

Email and file sharing safeguards

Over 70% of major U.S. healthcare data breaches in 2024–2025 involved hacking or malicious software

Define approved tools for transmitting medical records and sensitive medical information.

Staff training programs reinforce encryption requirements and help reduce human error, a common driver of data breaches.

Backups, retention, and recovery testing

Between 2022 and 2024, the U.S. healthcare sector suffered 389 ransomware incidents, with roughly $305.4 million in ransom payments reported.

Backups support clinical continuity and regulatory compliance.

Define retention standards, test restoration regularly, and document results to demonstrate due diligence.

Physical security and workstation practices

Visible screens, unsecured server rooms, and shared login terminals increase risk.

Secure equipment and control visitor access to reinforce privacy practices.

Logging and monitoring basics

Enable audit logs in EHR and critical systems. Monitor for unusual access patterns.

Continuous monitoring supports incident response and provides documentation upon request from the Office for Civil Rights.

Scoring and prioritization (Keep it simple)

Likelihood vs impact

Use a 1–5 scale for likelihood and impact to prioritize risks.

Likelihood reflects probability. Impact reflects patient harm, operational disruption, and regulatory exposure.

Clarity matters more than complexity.

92% of healthcare organizations reported at least one cyberattack in the past year.

Quick wins vs larger projects

Some gaps, such as enabling multi-factor authentication, can be resolved quickly.

Others, like replacing legacy systems, require structured remediation planning and budget alignment.

Documenting compensating controls

If a vulnerability cannot be eliminated immediately, document compensating controls such as additional monitoring or temporary restrictions.

Remediation plan and timelines

Assign owners and due dates

Each risk should have a named owner and a realistic timeline.

Track evidence of completion

Maintain documentation, including configuration records, policy updates, and access reviews, to demonstrate compliance.

Retest and review cadence

After remediation, confirm effectiveness. Ongoing review embeds risk management into daily operations.

How often to update (And what triggers an update)

New systems, vendors, or staffing changes

Update your HIPAA security risk assessment whenever significant operational changes occur.

Major incidents

If ransomware or another cybersecurity incident occurs, revisit your risk analysis and adjust incident response and breach notification procedures.

Annual minimum review

Conduct at least one annual review to keep documentation up to date.

Why Parachute is relevant for HIPAA risk analysis

Helping inventory ePHI workflows

Parachute works with San Diego healthcare providers to map how ePHI flows across systems, users, and vendors.

Standardizing protections

Consistent access controls, patching, encryption, and monitoring reduce vulnerabilities and support HIPAA compliance.

Documentation and remediation cadence

Structured remediation tracking and defined review cycles reduce last-minute audit scrambles.

Backup and recovery aligned to care delivery

Backup and recovery planning align with how your medical practice delivers care, strengthening operational resilience.

Final thoughts: A useful risk analysis is a living document

A HIPAA risk analysis for a San Diego medical practice must evolve as systems and workflows change.

When maintained, it clarifies risks, guides remediation, protects patient privacy, and supports regulatory compliance.

Talk to Parachute about building a maintainable HIPAA risk analysis and remediation plan tailored to your healthcare organization.

FAQs