The Security Risk Assessment is the single most important document in your HIPAA compliance program — and the most commonly missing one. Here's exactly what it must include and how to conduct one properly.
The HIPAA Security Rule (45 CFR § 164.308(a)(1)) requires every covered entity and business associate to conduct a thorough and accurate Security Risk Assessment (SRA) — also called a HIPAA risk analysis. Despite being a foundational requirement since 2003, the SRA remains the number-one compliance gap OCR investigators find during audits. This guide explains exactly what a compliant risk assessment must include and how to complete one that holds up under scrutiny.
Key takeaway: A Security Risk Assessment is not a checklist — it is a documented analysis of every threat and vulnerability to your electronic PHI, plus a remediation plan. It must be updated at least annually. Protect's guided SRA workflow produces an audit-ready assessment step by step.
What Is a Security Risk Assessment?
A Security Risk Assessment is a systematic evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits.
It is not a one-time task. HIPAA requires the SRA to be reviewed and updated periodically — most compliance experts, and official OCR risk analysis guidance, recommend doing so annually and whenever significant operational changes occur.
The Eight Required Components of a HIPAA Risk Analysis
According to OCR guidance, a complete SRA must address eight key areas:
- Scope: Identify all ePHI your organization creates, receives, maintains, or transmits — including on workstations, servers, mobile devices, and in the cloud.
- Data Collection: Document where ePHI lives across your organization.
- Identify Threats: List all reasonably anticipated threats — ransomware, human error, natural disasters, theft, and more.
- Identify Vulnerabilities: Document weaknesses in your systems, processes, and workforce behaviors that could be exploited.
- Assess Current Controls: Evaluate your existing security measures and how effectively they reduce identified risks.
- Determine Likelihood: For each threat/vulnerability pair, assess how likely a security incident is to occur.
- Determine Impact: Assess the potential impact on patients, the practice, and operations if a breach occurred.
- Risk Level: Combine likelihood and impact to assign a risk level (High/Medium/Low) and prioritize remediation.
Common Mistakes to Avoid
After auditing hundreds of practices, these are the most frequent SRA mistakes we encounter:
- Using a checklist instead of an assessment. A list of yes/no questions does not constitute a risk analysis. The SRA must document analysis, not just answers.
- Forgetting remote workers and personal devices. If staff access ePHI on personal phones or home computers, those devices must be included.
- Not documenting remediation actions. Identifying a risk is only half the job — your SRA must include a remediation plan with timelines and responsible parties.
- Treating it as a one-time project. The assessment must be refreshed at minimum annually, and after major changes like new software, staff, or locations.
Using the Free HHS SRA Tool
The Office of the National Coordinator for Health IT (ONC) offers a free Security Risk Assessment Tool on HealthIT.gov. It is a useful starting point, but the tool alone does not produce a complete, audit-ready SRA — it does not store remediation tracking, generate ongoing documentation, or update automatically year over year. For deeper technical guidance, many practices also reference NIST Special Publication 800-66, the federal guide for implementing the HIPAA Security Rule.
How Often Should You Update Your SRA?
At a minimum, every 12 months. You should also perform a fresh risk analysis whenever you adopt new technology, open a new location, change EHR or billing vendors, experience a security incident, or make significant staffing changes. Each update should be dated and retained as part of your permanent compliance record.
Frequently Asked Questions
Is a HIPAA Security Risk Assessment legally required?
Yes. It is mandated by the HIPAA Security Rule for every covered entity and business associate, regardless of size.
What is the difference between a risk assessment and a risk analysis?
In HIPAA terminology the terms are used interchangeably. The regulation refers to a "risk analysis," and "Security Risk Assessment" is the common industry name for the same process.
How long does a Security Risk Assessment take?
With a structured platform it can take a few hours for a small practice. Done manually from scratch, it often takes days and produces inconsistent documentation — which is why most practices automate it.
How Protect Simplifies the Process
Protect's platform includes a guided Security Risk Assessment workflow that walks your team through every required component step by step. The result is a fully documented, audit-ready SRA that satisfies OCR requirements and is automatically refreshed in your compliance record each year. Learn more about our compliance platform, compare plans, or contact our team with questions.
Susan Schulte
Senior HIPAA Consultant, Protect Compliance Management
The Protect team helps healthcare practices achieve and maintain HIPAA compliance through our comprehensive software platform and expert consulting services.
