The HIPAA Security Rule requires covered entities — including home health agencies — to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.
The risk assessment is not optional. It is not something you do once and file away. It is the foundation of your entire HIPAA compliance program — and it is the first document that OCR investigators request when they audit a home health agency or investigate a breach.
OCR's enforcement data is clear: the most common HIPAA Security Rule citation is failure to conduct an adequate and current risk analysis. This one gap — a missing or outdated risk assessment — is found in the majority of enforcement actions against home health agencies.
This guide walks through the risk assessment process step by step, in terms that a home health administrator without a technical background can understand and implement.
What a Risk Assessment Is (and Is Not)
It is: A systematic identification of every place where your agency stores, transmits, or processes electronic protected health information, an analysis of what could go wrong at each location, and a documented plan for addressing the risks identified.
It is not: A vendor checklist you complete in 30 minutes. A policy document stating your intention to be HIPAA-compliant. An IT audit of your servers. A once-and-done exercise.
Step 1: Scope the Assessment — Where Does ePHI Live?
The first step is identifying every system, device, and process through which your agency's electronic protected health information flows. For a home health agency, this typically includes:
Clinical systems: - Your EHR (whether cloud-hosted or locally installed) - Any telehealth platform used for patient video visits - Remote patient monitoring platforms - Clinical documentation tools on mobile devices
Administrative systems: - Microsoft 365 or Google Workspace (email, SharePoint, OneDrive containing patient documents) - Billing software and clearinghouses - Scheduling systems that contain patient names and clinical details - Any cloud storage services where patient documents are stored
Devices: - Office workstations and laptops - Nurses' and aides' personal smartphones and tablets (if used for work) - Shared tablets in the office - Any medical devices that transmit readings wirelessly
Networks: - Your office network - Remote access connections (VPN, RDP) used by staff working from home - Cloud connections to hosted systems
Document every item on this list. The scope of your risk assessment must match the actual scope of your ePHI environment. If a system or device exists and is not in the risk assessment, it is an unassessed risk — which is a compliance gap.
Step 2: Identify Threats and Vulnerabilities
For each system, device, or process in your scope, identify:
Threats — what could go wrong? Categories include: - External threats: ransomware, phishing, credential theft, unauthorized access by outside parties - Internal threats: unauthorized access by employees, accidental disclosure, lost or stolen devices - Environmental threats: power outages, natural disasters, hardware failure
Vulnerabilities — what weaknesses could allow a threat to succeed? - Unpatched software - Missing MFA - Unencrypted devices - Lack of backup systems - Staff with excessive access permissions - No security awareness training
For each vulnerability, document which system or process it affects, what threat it enables, and what the current control (if any) is addressing it.
Step 3: Analyze the Likelihood and Impact
For each identified threat and vulnerability combination, assess:
Likelihood: How probable is it that this threat will occur, given the vulnerability? Use a simple scale: Low (unlikely given controls), Medium (possible), High (probable without additional controls).
Impact: If this threat occurs, what is the effect on the confidentiality, integrity, or availability of ePHI? Low (limited, temporary disruption), Medium (significant disruption or limited disclosure), High (major breach, significant data exposure, extended disruption to care).
Risk level: Combine likelihood and impact into a risk level — Low, Medium, High, or Critical. This prioritizes which risks require immediate action.
Document every assessment. The documentation itself is a HIPAA requirement — not just the conclusions.
Step 4: Document Current Controls and Gaps
For each identified risk, document: - What controls are currently in place to address the risk - Whether those controls are adequate given the likelihood and impact - What additional controls are needed
This gap analysis becomes your risk management plan — the roadmap of what your agency needs to implement to reach an adequate security posture.
Step 5: Develop and Document the Risk Management Plan
The risk management plan specifies: - What controls will be implemented to address each identified risk - Who is responsible for implementing each control - The timeline for implementation - How implementation will be verified
This plan is what OCR investigators look for when they ask not just "did you conduct a risk assessment?" but "did you act on what you found?" An agency that has a risk assessment identifying missing MFA and a risk management plan showing MFA implementation is in a defensible position. An agency that has the same risk assessment but no management plan — and never implemented MFA — is in a non-compliance finding.
Step 6: Review and Update
The risk assessment is not a one-time exercise. It must be reviewed and updated: - At least annually - When significant operational changes occur: new EHR, new sites, new staff types, new devices, new telehealth capabilities - When a security incident occurs — to determine whether the risk assessment adequately identified the exploited vulnerability - When the regulatory environment changes — such as when the 2026 HIPAA Security Rule update introduced new mandatory requirements
Common Risk Assessment Mistakes at Home Health Agencies
Mistake 1: Treating the EHR vendor's compliance as your compliance. Your EHR vendor's HIPAA compliance covers their application. Your agency is responsible for the devices, networks, and staff that access it. These are separate compliance obligations.
Mistake 2: Scoping out personal devices. If a nurse uses a personal phone to access the EHR, that phone is in scope. Many agencies scope their risk assessment to "agency-owned devices only" — which leaves the majority of their ePHI exposure unassessed.
Mistake 3: No documentation of the assessment process. OCR does not just want your conclusions — they want evidence of the assessment process: who conducted it, when, what data sources were reviewed, and how conclusions were reached.
Mistake 4: No follow-through on the management plan. A risk assessment without a management plan is insufficient. A risk assessment and management plan that are never implemented is worse — it demonstrates that the agency knew about its risks and chose not to address them.
How ShieldForce Conducts Risk Assessments for Home Health Agencies
ShieldForce conducts the HIPAA Security Rule risk assessment as a collaborative engagement with your agency leadership — no IT expertise required on your side. Our process covers the full scope of your ePHI environment, produces OCR-ready documentation, and generates a prioritized risk management plan that we then implement as part of your managed security service.
Get your HIPAA Security Rule risk assessment done correctly — and done now. ShieldForce conducts and documents complete HIPAA risk assessments for home health agencies.
Schedule Your Free HIPAA Assessment →
Explore the full managed security program that implements everything your risk assessment identifies.