“HIPAA never mailed me anything stating that I needed to do a risk assessment, therefore I don’t need one.”
That is false. HIPAA is not required to send you any documentation whatsoever. You alone are responsible for keeping up with the constant change in HIPAA laws and you alone are held accountable.
164.308(a)(1)(ii)(a) “Security Management Process – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
In case of a security breach, you are required to show auditors that you have conducted an annual Risk Analysis documenting any potential areas of concern or vulnerabilities. If upon conducting the assessment it is found that there were areas in which there was a potential for a breach and you did nothing to circumvent or prevent this vulnerability then you face fines up to $1.5 million per offense.