Log in
hipaa cow logo

Risk Toolkit

HIPAA COW Risk Analysis & Risk Management Toolkit

HIPAA COW is pleased to provide you with this HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit). Please note that this Toolkit is a work in progress. More documents will be added to further assist organizations in their efforts to complete a Risk Analysis, Risk Assessment, and their Risk Management strategy. Please contact us with any recommendations, questions, or special requests.

The following Toolkit documents are currently available:

Start Here

This Guide provides a summary of all the tools in this Toolkit (listed below) as well as ideas on how to use them to complete a risk analysis, risk assessment, and develop and implement a risk management strategy. It also includes a list of references reviewed and used while developing this Toolkit.

NIST Risk Assessment Steps

HIPAA COW Risk Assessment Template

January 2024 updates: Updated Risk Toolkit! The HIPAA COW Risk Management Networking Group (RMNG) completed its review and incorporation of the NIST CSF v1.1. into the HIPAA COW Risk Assessment Template.  

This document contains several worksheets, including:

  • HIPAA COW Disclaimer
  • Example Security P&P List
  • Security Questions
  • Current Threat List
  • Inventory Asset List
  • Risk Mitigation Implementation Plan
  • Office Use Only

NIST Threat Overview

Network Diagram Example

NIST Risk Definitions & Calculations

NIST Risk Mitigation Activities

HIPAA COW Risk Analysis Report Template

Risk Management Policy

This may be used by your organization as a template to create a Risk Management Policy. The policy was updated on 1/16/13 to better align with the HIPAA COW Risk Analysis & Risk Management toolkit.

OCR Phase 2 Audit Protocol

This is simply a copy/paste of the OCR Phase 2 Audit Protocol that was posted in April 2016 HERE.

OCR HIPAA COW OCR Audit Protocol

June 2012 – This OCR HIPAA Audit Protocol, with the last column added by HIPAA COW on the Security and Privacy & Breach worksheets, includes the question numbers that currently are believed to cover some or all of the audit protocol requirements for each specific item. The HIPAA COW Risk Management Networking Group reviewed the established performance criteria and audit procedures in the OCR HIPAA Audit Program and enhance the HIPAA Security questions and recommended controls on the HIPAA COW Risk Assessment Template spreadsheet. This project was completed in August of 2013.

OCR Audit Protocol

June 2012: 2012 Cross Reference to the HIPAA COW Risk Assessment Changes Made


This document includes the NIST Cybersecurity Framework v1.1. For Subcategories ID.AM-1 through RS.CO-3, the Risk Management Networking Group (RMNG) included the question numbers from the Security Questions worksheet of the HIPAA Security Risk Assessment Toolkit Excel document, that are believed to cover some or all of the audit protocol requirements. The RMNG is continuing to work through the remainder of the of the controls and will post an update when completed. There is also a Maturity Definitions tab in this document, which are based off the NIST CSF Framework Implementation Tiers.

NIST SP 800-30 v2002

This Toolkit is based on many of the methodologies described in this document.

HIPAA Collaborative of Wisconsin (“HIPAA COW”) holds the Copyright © to this The HIPAA COW Risk Analysis & Risk Management Toolkit (“Toolkit”).  HIPAA COW retains full copyright ownership, rights and protection in all material contained in this Toolkit. You may use this Toolkit for your own non-commercial purposes. It may be redistributed in its entirety only if (i) the copyright notice is not removed or modified, and (ii) this Toolkit is provided to the recipient free of charge. If information is excerpted from this Toolkit and incorporated into another work-product, attribution shall be given to HIPAA COW (e.g., reference HIPAA COW as a resource). This Toolkit may not be sold for profit or used in commercial documents or applications. This Toolkit is provided “as is” without any express or implied warranty. This Toolkit is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Toolkit. Therefore, this Toolkit may need to be modified in order to comply with Wisconsin/State law.  The Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad spectrum of the requirements under the HIPAA Security Rule and HITECH, it may not cover all measures needed to secure your patients’ electronic protected health information (ePHI). It is not meant to be construed as a one-size-fits all Toolkit. As previously stated, this includes only an example method to complete a HIPAA Security Risk Assessment. The HIPAA Security Rule requires this be completed on an ongoing basis, but does not prescribe how to accomplish this. The authors of these documents carefully considered and included information that are believed to be of most importance, based on legal requirements, known HIPAA Security incident history, and personal experiences. With that said, it may include items not required by your organization, exclude items required, and/or items that you need tailor to your organization’s needs. Contact Us: Please forward any questions, comments, enhancements or ideas for improvement about this Risk Toolkit to: We welcome your feedback.

hipaa cow logohipaa cow logo

Contact Us


563 Carter Court, Suite B, Kimberly, WI 54136

EMAIL | PHONE | 920-750-7728

© 2023 HIPAA COW | All Rights Reserved

Powered by Wild Apricot Membership Software