The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes a standard of care for healthcare data security, outlining a set of technical, physical, and administrative security practices intended to protect electronic patient data. The regulation requires organizations to conduct information-security risk assessments to ensure that their security programs effectively mitigate their risks. Because the regulation does not mandate a specific technique, many variants of risk assessments have been employed to satisfy the requirement. This paper examines limitations in process-based risk assessments used by many healthcare organizations to comply with the HIPAA risk assessment requirement. It specifically focuses on the following three limitations: (1) lack of detailed operational context, (2) limited analysis of combinatorial effects of risk conditions, and (3) the tendency for local optimization of risk mitigation efforts.