The HIPAA Risk-Analysis worksheet OCR actually wants.
A fillable worksheet that walks your practice through the six steps OCR expects — ePHI inventory, threat enumeration, vulnerability mapping, likelihood-impact rating, mitigation tracking, and refresh triggers. Sized for small and mid-size medical, dental, and specialty practices.
What's inside
Eight sections — built to satisfy §164.308(a)(1)(ii)(A).
Each section is fillable and includes the prompts OCR expects. The worksheet bakes in the methodology described in our long-form article on the HIPAA risk analysis — so the output is defensible, not generic.
- 1Practice profile & ePHI inventory
- 2Reasonably anticipated threats
- 3Threat-to-vulnerability mapping
- 4Likelihood, impact & risk rating
- 5Mitigation decisions & owners
- 6Refresh triggers & annual review
- 79-step OCR self-audit
- 8Security Official sign-off
The worksheet is a printable web document. Use your browser's Print → Save as PDF to keep an offline copy.
Why this matters
OCR enforces. Carriers check. Your EHR vendor doesn't do this for you.
OCR's #1 cited deficiency
Missing or inadequate risk analysis is the most-cited HIPAA Security Rule violation, year after year. Most six- and seven-figure settlements name it first.
Cyber insurers ask for it
Carrier renewal questionnaires now ask for the date and methodology of your last risk analysis. "We did one a few years ago" doesn't bind coverage.
The undocumented one doesn't count
OCR's position is consistent: if you can't hand a written analysis to an investigator on request, you don't have one. This worksheet makes the "written" part painless.
Want the controls behind the worksheet?
Kapacyber runs the day-to-day security operations behind every row of this risk analysis — MFA on the EHR, EDR on every workstation, encrypted laptops, audit-log review, BAA inventory, and an incident response plan ready for the 60-day breach clock.