CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to HIPAA Compliance
📊 Phase 1 4-6 weeks

Phase 1: Risk Analysis & Gap Assessment

This is the most critical phase of the entire compliance program. The HIPAA Security Rule requires a comprehensive risk analysis, and failure to conduct one is the number one finding in OCR enforcement actions. You will systematically identify every threat and vulnerability to ePHI, assess current controls, calculate risk levels, and create a prioritized remediation plan. This phase transforms your Phase 0 findings into a detailed, actionable compliance roadmap.

🎯 Objectives

  • Conduct a comprehensive, documented risk analysis meeting HIPAA Security Rule requirements
  • Identify and assess all threats and vulnerabilities to ePHI confidentiality, integrity, and availability
  • Evaluate the effectiveness of current security controls and safeguards
  • Calculate risk levels for each identified threat-vulnerability combination
  • Create a prioritized risk register with specific remediation actions
  • Develop the Risk Management Plan that will drive Phases 2-4

Asset Inventory and ePHI Valuation

Build a detailed inventory of every asset that creates, receives, stores, processes, or transmits ePHI. This includes hardware (servers, workstations, mobile devices, medical devices, network equipment), software (EHR, billing systems, databases, email), data stores (databases, file shares, cloud storage, backup media), and network components. For each asset, document the type and volume of ePHI it contains, its criticality to operations, and its current security controls.

🎓 Beginner's Note

Think of this as building the 'what do we need to protect' list. You cannot protect what you do not know about. Be thorough — the most dangerous assets are the ones nobody remembers exist, like the old Windows Server 2008 machine running a legacy lab system in the basement.

💡 Consultant Tips

  • Use automated discovery tools (Nmap, asset management software) to supplement manual inventory — people always forget about assets
  • Include medical devices that connect to the network (IoT) — infusion pumps, patient monitors, and imaging equipment often contain or transmit ePHI
  • Document the operating system, patch level, and end-of-life status for each asset — legacy systems are a major risk area
  • Classify assets by criticality: Critical (EHR, primary database), High (billing, lab systems), Medium (departmental systems), Low (non-PHI systems)
  • Remember to include personally owned devices (BYOD) if employees access ePHI from personal phones or laptops

Threat and Vulnerability Identification

For each asset in your inventory, identify all reasonably anticipated threats (things that could go wrong) and vulnerabilities (weaknesses that threats could exploit). Use standard threat catalogs (NIST SP 800-30, HITRUST) as reference. Common threat categories include: natural disasters, human error, malicious insiders, external attackers, system failures, and vendor/supply chain risks. Vulnerabilities include: unpatched software, weak passwords, lack of encryption, inadequate training, missing policies, and physical security gaps.

🎓 Beginner's Note

A threat is anything that could cause harm (a hacker, a flood, an employee making a mistake). A vulnerability is a weakness that allows the threat to succeed (unpatched software lets the hacker in, no offsite backup means the flood destroys all data, lack of training causes the employee to email PHI to the wrong person). Your job is to find every realistic combination.

💡 Consultant Tips

  • Use the NIST SP 800-30 threat catalog as a starting checklist — it is comprehensive and specifically referenced by HHS
  • Interview IT staff about known vulnerabilities, recent security incidents, and concerns they have been unable to address
  • Conduct vulnerability scanning on all systems containing ePHI (with proper authorization and change management)
  • Review recent healthcare breach reports (HHS Wall of Shame) to identify common attack vectors relevant to similar organizations
  • Do not overlook insider threats — the majority of healthcare breaches involve internal workforce members, not external hackers

Current Controls Assessment

For each threat-vulnerability pair identified, evaluate what security controls are currently in place and how effective they are. Map current controls to the HIPAA Security Rule requirements (Administrative, Physical, and Technical safeguards). Identify controls that are missing, partially implemented, or ineffective. This is where you use the HIPAA compliance checklist to systematically evaluate every requirement.

🎓 Beginner's Note

Think of this as a gap analysis: for each HIPAA requirement, you are asking 'does the organization meet this requirement fully, partially, or not at all?' Use a simple Red (not implemented), Yellow (partially implemented), Green (fully implemented) scoring system to make the results easy to communicate to executives.

💡 Consultant Tips

  • Do not just ask 'do you have this control?' — verify it is actually working by testing or reviewing evidence
  • Check for controls that exist in policy but are not enforced in practice
  • Review recent audit reports, penetration test results, and vulnerability scan reports
  • Talk to end users about workarounds they use — workarounds often indicate that security controls are too restrictive or not working properly
  • Document evidence for each control assessment: policy documents, system configurations, screenshots, test results

Risk Calculation and Prioritization

For each threat-vulnerability-control combination, calculate a risk level based on the likelihood of the threat exploiting the vulnerability and the potential impact if it occurs. Use a standard risk matrix (e.g., 5x5 likelihood-impact matrix) to categorize risks as Critical, High, Medium, or Low. Create a risk register documenting each risk with its score, current controls, and recommended remediation actions.

🎓 Beginner's Note

A simple risk formula: Risk = Likelihood x Impact. If something is very likely to happen (score 5) and the impact would be severe (score 5), the risk is 25 (Critical). If something is very unlikely (score 1) and the impact would be minor (score 1), the risk is 1 (Low). Address Critical and High risks first.

💡 Consultant Tips

  • Use a quantitative or semi-quantitative approach — do not just assign arbitrary risk ratings
  • Consider both the likelihood of occurrence and the magnitude of impact (number of records affected, financial cost, operational disruption, reputational damage)
  • Factor in the sensitivity of the ePHI — psychiatric records, HIV status, and substance abuse records carry higher impact if breached
  • Involve clinical and business stakeholders in impact assessment — IT may underestimate the clinical and business consequences of certain risks
  • Prioritize risks that could result in large-scale breaches (500+ records) because these trigger public notification and HHS reporting

Risk Management Plan Development

Based on the risk register, develop a Risk Management Plan that defines specific actions to reduce each identified risk to an acceptable level. For each risk, choose a risk treatment strategy: Mitigate (implement controls to reduce risk), Accept (document that the remaining risk is acceptable and within tolerance), Transfer (shift risk to a third party through insurance or contracts), or Avoid (eliminate the activity that creates the risk). Define specific actions, responsible parties, timelines, and success criteria for each risk treatment.

🎓 Beginner's Note

The Risk Management Plan is essentially your HIPAA compliance project plan. It tells you exactly what needs to be done, in what order, by whom, and by when. Present it to executive leadership for approval and resource commitment before moving to Phase 2. Without executive buy-in and budget, the implementation phases will stall.

💡 Consultant Tips

  • Focus on the Critical and High risks first — you cannot fix everything at once, so prioritize based on risk level
  • Set realistic timelines — complex technical implementations (encryption, access control overhaul) take months, not days
  • Include cost estimates for each remediation action to help executives make informed resource allocation decisions
  • Document any risks that are accepted — you must be able to explain to OCR why the residual risk is acceptable
  • The Risk Management Plan becomes the master roadmap for Phases 2-4 — everything flows from this document

Risk Analysis Documentation

Document the entire risk analysis process, methodology, findings, and decisions in a formal Risk Analysis Report. This documentation is itself a HIPAA requirement — you must be able to produce it if OCR requests it. The report should be comprehensive enough that someone who was not involved in the process can understand exactly what was done, what was found, and what decisions were made.

🎓 Beginner's Note

The risk analysis report is the single most important HIPAA document you will produce. It proves to OCR that you took HIPAA seriously and made informed decisions about protecting ePHI. A thorough risk analysis can be the difference between a warning letter and a million-dollar fine. Take the time to do it right and document it properly.

💡 Consultant Tips

  • Use a standardized format that maps to NIST SP 800-30 or the HHS Security Risk Assessment methodology
  • Include the methodology, scope, participants, tools used, data sources reviewed, and timeline of the assessment
  • Document not just the findings but the rationale for risk ratings and treatment decisions
  • Store the report securely (it contains sensitive information about your organization's vulnerabilities) and retain it for at least 6 years
  • Plan to update the risk analysis at least annually and whenever there are significant changes (new systems, new threats, organizational changes, breaches)

📦 Phase Deliverables

Complete ePHI Asset Inventory (hardware, software, data stores, network components)
Threat and Vulnerability Register (all identified threats, vulnerabilities, and threat-vulnerability pairs)
Current Controls Assessment (mapped to all HIPAA Security Rule requirements)
Risk Register (all risks scored and prioritized)
Risk Management Plan (remediation actions, owners, timelines, budgets)
Formal Risk Analysis Report (comprehensive documentation of the entire process)
Executive Summary Presentation (key findings and resource requirements for leadership)
← Back to HIPAA Compliance