HIPAA Risk Assessment Checklist for San Diego Healthcare Practices
Step-by-step guide to conducting a thorough HIPAA risk assessment, tailored for San Diego healthcare providers.
A HIPAA risk assessment is the foundation of your compliance program. Without one, every other compliance effort is guesswork. The Office for Civil Rights (OCR) has made it clear through enforcement actions that an incomplete or missing risk assessment is the most common finding in HIPAA investigations. San Diego practices that skip this step are taking on unnecessary exposure.
This guide walks through the risk assessment process in concrete terms, with specific considerations for practices operating in San Diego County.
What a Risk Assessment Actually Requires
The HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)) requires covered entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." HHS has published guidance through NIST SP 800-66 that outlines the methodology.
A compliant risk assessment is not a one-page checklist. It is a documented process that identifies where ePHI exists, what threatens it, how likely those threats are, and what you are doing about them.
Step 1: Identify Where ePHI Lives
Before you can assess risk, you need to know where your data is. For a typical San Diego medical practice, ePHI exists in more places than most people realize:
Your EHR system is the obvious one. But also consider your practice management software, billing system, patient scheduling platform, fax server (yes, many San Diego practices still fax), email system, voicemail, text messaging apps, cloud storage (Google Drive, Dropbox, OneDrive), portable devices like laptops and tablets, USB drives, paper records that have been scanned, and backup systems both on-site and off-site.
Document every system, device, and location. Include the type of ePHI stored, the approximate volume, and who has access.
Step 2: Identify Threats
Threats fall into several categories. For San Diego practices, the relevant threat landscape includes:
Cyber threats: Ransomware is the top concern for healthcare organizations nationally, and San Diego is no exception. The 2021 Scripps Health attack demonstrated the real-world impact: four weeks of EHR downtime, diverted ambulances, canceled appointments, and an estimated $113 million in losses. Phishing emails remain the primary entry point for these attacks. Business email compromise, where an attacker impersonates a vendor or executive to trick staff into wiring money or sharing credentials, is also increasing.
Physical threats: San Diego's geography creates specific physical security considerations. Practices in ground-floor locations along busy corridors like El Cajon Boulevard, University Avenue, or Mira Mesa Boulevard need to consider break-in risks. Practices near the coast deal with humidity that can affect server equipment. Wildfire risk in areas like Rancho Bernardo, Poway, and East County means your disaster recovery plan should account for extended facility access disruption.
Internal threats: Unauthorized access by staff is consistently one of the top causes of HIPAA breaches. This includes snooping on records of friends, family, or public figures, as well as accidental disclosures like sending patient information to the wrong recipient.
Vendor and business associate threats: Your compliance is only as strong as your weakest business associate. If your IT provider, billing company, or shredding service mishandles PHI, you share responsibility.
Step 3: Assess Current Security Measures
For each threat you identified, document what controls you currently have in place. Be honest. The risk assessment is an internal document meant to help you identify gaps, not a marketing brochure.
Common controls to evaluate include: access controls (unique user IDs, role-based access, automatic logoff), audit controls (logging of access to ePHI, regular log review), encryption (data at rest, data in transit, portable media), physical security (locked server rooms, workstation positioning, visitor logs), disaster recovery (backup frequency, backup testing, recovery time objectives), workforce training (initial training, annual refresher, phishing simulations), and device management (mobile device policy, remote wipe capability, BYOD controls).
Step 4: Determine Likelihood and Impact
For each threat-vulnerability pair, rate the likelihood (how probable is it that this threat exploits this vulnerability) and the impact (how much damage would result). Use a simple scale: low, medium, or high.
A few examples specific to San Diego practices:
A small dermatology practice in La Jolla with staff who have not received phishing training in two years: likelihood of successful phishing attack is high. Impact of ransomware resulting from that phishing attack is also high, because the practice likely cannot operate without its EHR for more than a day.
A multi-location urgent care group with servers in an unlocked closet at their Pacific Beach location: likelihood of unauthorized physical access is medium (it is an interior closet, but any staff member or cleaning crew has access). Impact is high because the server contains the full patient database.
Step 5: Document Risk Levels and Remediation Plans
Combine likelihood and impact to determine an overall risk level for each finding. High-likelihood and high-impact items need immediate attention. Low-likelihood and low-impact items can be addressed on a longer timeline, but they still need to be documented and tracked.
For each risk, document your remediation plan. Be specific: what will you do, who is responsible, and when will it be completed. "Improve security" is not a plan. "IT manager will enable BitLocker on all workstations by April 30 and verify completion with screenshots of encryption status" is a plan.
Step 6: Review Business Associate Relationships
List every vendor that has access to your ePHI. For San Diego practices, this typically includes your EHR vendor, IT support provider, billing and coding service, answering service, shredding company, cloud storage provider, email provider, and any consultants who access patient data.
Verify that you have a current, signed BAA with each one. Check that the BAA includes the 2025 Security Rule updates, particularly the 72-hour incident notification requirement. If a vendor refuses to sign a BAA, you cannot share ePHI with them. Period.
Step 7: Plan for Annual Updates
A risk assessment is not a one-time project. The Security Rule requires ongoing risk management. At minimum, update your assessment annually and whenever you have a significant change: new EHR system, new office location, new service line, or a security incident.
Schedule your next risk assessment now. Put it on the calendar. Assign responsibility. The practices that treat risk assessment as an ongoing process rather than a one-time exercise are the ones that stay out of trouble with OCR.
Common Mistakes San Diego Practices Make
Using a generic template without customization. A risk assessment for a San Diego pediatric clinic should look different from one for a Los Angeles hospital system. Your assessment needs to reflect your specific environment, systems, and threat landscape.
Skipping the asset inventory. You cannot assess risk to ePHI if you do not know where it is. Every new app, device, or cloud service your staff uses needs to be captured.
Not involving the right people. The risk assessment should involve your privacy officer, your IT person (whether in-house or outsourced), your office manager, and at least one clinician. Each perspective catches different risks.
Treating it as a compliance checkbox. The point is not to fill out a form. The point is to find and fix vulnerabilities before they become breaches. Take it seriously, and it will pay for itself many times over in prevented incidents.