Healthcare PracticesFree Worksheet

The HIPAA Risk-Analysis worksheet OCR actually wants.

A fillable worksheet that walks your practice through the six steps OCR expects — ePHI inventory, threat enumeration, vulnerability mapping, likelihood-impact rating, mitigation tracking, and refresh triggers. Sized for small and mid-size medical, dental, and specialty practices.

What's inside

Eight sections — built to satisfy §164.308(a)(1)(ii)(A).

Each section is fillable and includes the prompts OCR expects. The worksheet bakes in the methodology described in our long-form article on the HIPAA risk analysis — so the output is defensible, not generic.

  1. 1Practice profile & ePHI inventory
  2. 2Reasonably anticipated threats
  3. 3Threat-to-vulnerability mapping
  4. 4Likelihood, impact & risk rating
  5. 5Mitigation decisions & owners
  6. 6Refresh triggers & annual review
  7. 79-step OCR self-audit
  8. 8Security Official sign-off

Free download — drop your work email

We'll unlock the template immediately and add you to our security list (unsubscribe any time).

By submitting, you agree to our Privacy Policy. We don't sell or share your information.

The worksheet is a printable web document. Use your browser's Print → Save as PDF to keep an offline copy.

Why this matters

OCR enforces. Carriers check. Your EHR vendor doesn't do this for you.

OCR's #1 cited deficiency

Missing or inadequate risk analysis is the most-cited HIPAA Security Rule violation, year after year. Most six- and seven-figure settlements name it first.

Cyber insurers ask for it

Carrier renewal questionnaires now ask for the date and methodology of your last risk analysis. "We did one a few years ago" doesn't bind coverage.

The undocumented one doesn't count

OCR's position is consistent: if you can't hand a written analysis to an investigator on request, you don't have one. This worksheet makes the "written" part painless.

Want the controls behind the worksheet?

Kapacyber runs the day-to-day security operations behind every row of this risk analysis — MFA on the EHR, EDR on every workstation, encrypted laptops, audit-log review, BAA inventory, and an incident response plan ready for the 60-day breach clock.