How to Conduct a HIPAA S.R.A.?

Practical guidance for healthcare teams and business associates
Chuck Weiselberg
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
22 min read

HIPAA Risk review: Step-by-Step Process

A HIPAA risk assessment is the most important step in any healthcare compliance program. The Office for Civil Rights (OCR) tracks HIPAA enforcement actions closely. Failure to conduct a full, practice-wide risk analysis is the most common finding they cite — and it carries some of the steepest penalties in HIPAA enforcement history.

This guide gives you a practical, step-by-step process for a HIPAA Security Risk Assessment (SRA). It covers every phase — from scoping through remediation and ongoing management. Use it whether this is your first assessment or an upgrade to an existing process. If you want to understand the legal foundation before diving into the steps, start with our overview of what a HIPAA security risk assessment is and why it matters.

Understanding the SRA Requirement

Regulatory Foundation

The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) is unambiguous. Covered entities and business associates must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” This is a required specification — there is no alternative implementation.

The regulation does not prescribe a specific methodology or tool. Organizations can choose an approach appropriate for their size and complexity. But OCR has published detailed guidance on what constitutes a compliant risk analysis, and enforcement actions demonstrate the depth of analysis expected.

Risk analysis vs. risk management: These terms are often used interchangeably but represent distinct requirements. The risk analysis (45 CFR 164.308(a)(1)(ii)(A)) is the identification and evaluation of threats and vulnerabilities. Risk management (45 CFR 164.308(a)(1)(ii)(B)) is the implementation of security measures to reduce those identified risks to a reasonable and appropriate level. HIPAA requires both — completing only the analysis without acting on findings is itself a compliance failure.

Key Regulatory Expectations

OCR expects a risk analysis to be:

  • Complete — Covering all ePHI across the entire organization, not just selected systems or departments.
  • Thorough — Identifying all reasonably anticipated threats and vulnerabilities.
  • Accurate — Based on current conditions, not outdated assumptions or generic templates.
  • Documented — Producing written records that demonstrate the process and findings.
  • Ongoing — Updated regularly and whenever significant operational changes occur.

A checklist or short questionnaire does not satisfy these requirements. The risk assessment must be a genuine analysis examining specific threats to specific assets in your actual environment.

Step 1: Define Scope and Assemble Your Team

Scoping the Assessment

The scope must cover all ePHI your organization creates, receives, maintains, or transmits — regardless of medium, location, or system. This includes:

  • On-premises systems — Servers, workstations, medical devices, and network infrastructure.
  • Cloud environments — Hosted applications, cloud storage, SaaS platforms, and hosted EHR systems.
  • Remote and mobile — Laptops, tablets, smartphones, home offices, and telehealth platforms.
  • Third-party systemsBusiness associate environments that store or process your ePHI.
  • Paper-to-digital transitions — Scanning systems, fax servers, and digital records management.

A common mistake is limiting scope to the primary EHR system. Secondary systems — email, messaging platforms, billing software, and legacy applications — also contain ePHI. A dedicated HIPAA compliance tool can help inventory and monitor all of these systems automatically.

Assembling the Team

Effective risk assessments require input from multiple stakeholders:

  • Security Officer — Leads the assessment and coordinates remediation actions.
  • IT staff — Provides technical knowledge of systems, networks, and security controls.
  • Clinical staff — Identifies workflows involving ePHI and clinical system usage.
  • Administrative staff — Covers billing, scheduling, and day-to-day operational processes.
  • Compliance Officer — Ensures regulatory requirements are addressed.
  • Facilities management — Addresses physical security considerations.
  • Privacy Officer — Provides insight on Privacy Rule implications.

In small practices, some of these roles may overlap. The key is covering technical, operational, and clinical perspectives. External consultants can fill expertise gaps, especially for a first comprehensive assessment.

Step 2: Inventory ePHI Assets

Creating the Asset Inventory

A complete ePHI asset inventory is the foundation of the risk assessment. For each asset, document:

  • Asset name and description — What the system or device is and what it does.
  • Location — Physical and logical location (building, room, network segment, cloud region).
  • ePHI types — What categories of protected health information the asset stores, processes, or transmits.
  • Data volume — Approximate number of patient records or volume of ePHI the asset holds.
  • Users — Who accesses the system and in what roles.
  • Owner — The person or department responsible for the asset.
  • Criticality — How important the asset is to operations and patient care.

Common Asset Categories

Organize your inventory into these categories:

  • Applications — EHR, practice management, billing, lab systems, imaging, telehealth platforms, patient portals.
  • Infrastructure — Servers, databases, network devices, firewalls, wireless access points.
  • Endpoints — Workstations, laptops, tablets, mobile devices, medical devices that store ePHI.
  • Storage — File servers, network-attached storage, cloud storage, backup media, removable drives.
  • Communications — Email systems, fax servers, secure messaging, VoIP, video conferencing.
  • Physical — Server rooms, data closets, file cabinets containing digital media, workstation locations.

Document how ePHI flows between these assets. Data flow diagrams help identify transmission paths that require encryption and access points that require authentication controls.

Step 3: Identify Threats

Threat Categories

A threat is any event or action that could exploit a vulnerability and harm ePHI. Organize threats into these categories:

Natural threats:

  • Floods, earthquakes, hurricanes, tornadoes.
  • Power outages from severe weather.
  • Fire (natural or accidental).

Human threats — intentional:

  • External cyberattacks (ransomware, phishing, malware, denial-of-service).
  • Insider threats from disgruntled employees.
  • Social engineering attacks.
  • Theft of devices or media.
  • Unauthorized physical access.

Human threats — unintentional:

  • Accidental data exposure through misconfigured systems.
  • Misdirected emails or faxes containing ePHI.
  • Improper disposal of devices or media.
  • Failure to follow security procedures.
  • Lost devices.

Environmental and technical threats:

  • Hardware failures.
  • Software bugs and vulnerabilities.
  • Network outages.
  • Power surges or electrical failures.
  • HVAC failures affecting server environments.

Documenting Threats

For each threat, record:

  • Threat source — Who or what could initiate the threat event.
  • Threat action — How the threat event would unfold.
  • Affected assets — Which ePHI assets could be impacted.
  • Historical data — Whether your organization or similar ones have experienced this threat.
  • Threat likelihood — An initial estimate of probability (refined in later steps).

Use industry sources to inform your threat list: the HHS Breach Portal, FBI Internet Crime Reports, and healthcare-specific threat intelligence. Pay particular attention to threats that have affected similar organizations in your region and specialty.

Step 4: Identify Vulnerabilities

What Constitutes a Vulnerability

A vulnerability is a weakness in a system, process, policy, or control that a threat can exploit to harm ePHI. Vulnerabilities exist at every level of a healthcare organization.

Technical vulnerabilities:

  • Unpatched software and operating systems.
  • Weak or default passwords.
  • Missing or misconfigured encryption.
  • Inadequate access controls.
  • Open network ports and unnecessary services.
  • Lack of multi-factor authentication.
  • Missing or inadequate audit logging.

Administrative vulnerabilities:

Physical vulnerabilities (review the complete physical safeguard vulnerabilities to assess):

  • Unsecured server rooms or data closets.
  • Missing visitor controls.
  • Inadequate surveillance.
  • Unlocked workstations in public areas.
  • Missing disposal procedures for media and devices.

Vulnerability Assessment Methods

Use multiple methods to surface vulnerabilities:

  • Technical scanning — Automated vulnerability scanners, penetration testing, and network assessments.
  • Policy review — Compare existing policies against Security Rule requirements and industry frameworks.
  • Interviews — Speak with staff about actual workflows, workarounds, and observed security gaps.
  • Physical walkthroughs — Inspect facilities for physical security weaknesses.
  • Audit log review — Examine system logs for evidence of unauthorized access or anomalies.
  • Prior assessments — Review findings from previous risk assessments, audits, and incident reports.

Step 5: Assess Current Controls

Mapping Controls to Risks

For each threat-vulnerability pair, document the security controls currently in place. Controls fall into three categories:

  • Preventive controls — Measures that stop threats from exploiting vulnerabilities (firewalls, access controls, encryption, training).
  • Detective controls — Measures that identify when a threat has exploited a vulnerability (audit logs, intrusion detection, monitoring).
  • Corrective controls — Measures that respond to and recover from security incidents (incident response plans, backup systems, disaster recovery).

Evaluating Control Effectiveness

Rate each control honestly:

  • Fully effective — The control is properly configured, regularly maintained, and tested.
  • Partially effective — The control exists but has gaps in configuration, coverage, or maintenance.
  • Not effective — The control exists on paper only, is severely outdated, or is not functioning.
  • Absent — No control exists for this risk.

Honesty is critical here. Overrating control effectiveness undermines the entire risk analysis and creates a false sense of security. Evaluate controls as they operate in practice, not as they appear in policy documents.

Step 6: Determine Risk Levels

Risk Scoring Methodology

Risk is the product of threat likelihood and impact severity. For each threat-vulnerability-asset combination, assess both factors using a consistent scale.

Likelihood ratings:

Level Score Description
High 3 Threat source is highly motivated and capable; controls are ineffective or absent.
Medium 2 Threat source is motivated and capable, but controls may impede exploitation.
Low 1 Threat source lacks motivation or capability, or strong controls are in place.

Impact ratings:

Level Score Description
High 3 Major harm: large-scale breach, significant financial loss, patient harm, or loss of critical systems.
Medium 2 Moderate harm: limited breach, moderate financial impact, temporary system disruption.
Low 1 Minor harm: minimal data exposure, negligible financial impact, brief disruption.

Calculating Overall Risk

Multiply Likelihood Score × Impact Score to produce a numeric risk rating, then map to a risk tier:

Likelihood × Impact Score Range Risk Tier Response Priority
High (3) × High (3) 9 Critical Immediate action required
High (3) × Medium (2) 6 High Address within 30–90 days
Medium (2) × High (3) 6 High Address within 30–90 days
High (3) × Low (1) 3 Medium Address within 6–12 months
Medium (2) × Medium (2) 4 Medium Address within 6–12 months
Low (1) × High (3) 3 Medium Address within 6–12 months
Medium (2) × Low (1) 2 Low Monitor; address in maintenance cycles
Low (1) × Medium (2) 2 Low Monitor; address in maintenance cycles
Low (1) × Low (1) 1 Low Accept with documented justification

Document the rationale for each rating. OCR auditors and investigators want to understand why a specific rating was assigned. Include concrete evidence from your threat and vulnerability work to support each determination.

Step 7: Develop the Remediation Plan

Prioritizing Risks

You cannot remediate all risks simultaneously. Prioritize based on risk tier:

  1. Critical risks — Address immediately. These carry the highest probability of a significant breach.
  2. High risks — Address within 30–90 days. These represent substantial exposure.
  3. Medium risks — Address within 6–12 months as part of planned security improvements.
  4. Low risks — Monitor and address during routine maintenance cycles, or formally accept with written documentation.

Creating Actionable Remediation Items

For each risk requiring remediation, document:

  • Risk description — The specific threat-vulnerability-asset combination.
  • Current risk score — The assessed likelihood × impact rating.
  • Remediation action — The specific control or measure to implement.
  • Target risk score — The expected rating after remediation.
  • Responsible party — Who is accountable for completion.
  • Target completion date — When the remediation must be finished.
  • Resource requirements — Budget, staff time, and technology needed.
  • Status tracking — A mechanism for monitoring progress.

Risk Response Options

For each identified risk, organizations have four response options:

  • Mitigate — Implement controls to reduce the risk to an acceptable level.
  • Transfer — Shift the risk to another party (cyber insurance, outsourcing to a qualified vendor).
  • Accept — Acknowledge the risk and document the decision not to act further. Appropriate only for low risks with written justification and management approval.
  • Avoid — Eliminate the risk by removing the activity, system, or process that creates it.

Most risks in a healthcare setting require mitigation. Risk acceptance should be used sparingly and always requires documented management approval.

Step 8: Document Everything

Required Documentation

The risk assessment must produce comprehensive written documentation including:

  • Scope statement — What was assessed, including all systems, locations, and ePHI types.
  • Methodology description — How the assessment was conducted, including tools and frameworks used.
  • Asset inventory — A complete list of ePHI assets with classifications.
  • Threat analysis — Identified threats with likelihood ratings and supporting evidence.
  • Vulnerability analysis — Identified vulnerabilities with assessment method and evidence.
  • Control assessment — Current controls mapped to risks with effectiveness ratings.
  • Risk register — All identified risks with likelihood, impact, and overall risk scores.
  • Remediation plan — Prioritized actions with responsible parties, timelines, and resource requirements.
  • Management sign-off — Executive acknowledgment and approval of findings and remediation plan.

Retention and Maintenance

Retain all risk assessment documentation for at least six years as required by the Security Rule. Store documentation securely with version control to track changes over time. Do not discard prior assessments — they provide historical context and demonstrate your organization’s ongoing commitment to security improvement.

Using the HHS/ONC Security Risk Assessment (SRA) Tool

What the SRA Tool Covers

HHS and ONC offer a free Security Risk Assessment (SRA) Tool designed specifically to help small and medium-sized healthcare practices conduct HIPAA-compliant risk assessments. The tool was updated to version 3.6 in 2025 and is available as a Windows desktop application at healthit.gov.

The SRA Tool walks users through the risk assessment process organized around the HIPAA Security Rule requirements. It covers:

  • Asset and data type identification
  • Threat and vulnerability identification across administrative, physical, and technical safeguards
  • Current control assessment with guided prompts
  • Likelihood and impact rating for each identified risk
  • Automatic risk score calculation
  • Remediation planning and tracking
  • Exportable reports suitable for OCR audit documentation

How to Download and Navigate the Tool

To get started with the SRA Tool:

  1. Visit healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
  2. Download the installer for your Windows version (Mac users will need a Windows emulator or virtual machine)
  3. Install and launch the application — no internet connection is required to run the assessment
  4. Create a new assessment and follow the guided question sequence
  5. Export your completed assessment as a PDF or Excel report for documentation and audit purposes

The SRA Tool takes most small practices 8–16 hours of focused staff time to complete thoroughly. Budget time across 1–2 weeks rather than trying to rush through in a single session.

Limitations of the SRA Tool

The SRA Tool is a strong starting point, but it has important limitations to understand:

  • Windows-only: The desktop application does not run on Mac or Linux without virtualization.
  • Small-practice focus: The tool is optimized for practices with straightforward IT environments. Large organizations with complex systems, multiple locations, or specialized medical devices may find the tool insufficient without supplementary assessments.
  • No continuous monitoring: The SRA Tool produces a point-in-time assessment. It does not provide ongoing risk monitoring or alerts when your environment changes.
  • Expert interpretation still required: The tool guides you through questions, but interpreting results and developing a remediation plan still requires someone with HIPAA security expertise. A tool-generated assessment without knowledgeable review is unlikely to fully satisfy OCR expectations.

For practices that need more comprehensive capabilities — including policy management, training tracking, and BAA management alongside risk assessment — see our comparison of top HIPAA compliance tools.

Ongoing Risk Management

Annual Reassessment

Conduct a full risk assessment at least annually. Between full assessments, update your risk analysis whenever:

  • New systems or technology are implemented.
  • Significant operational changes occur.
  • Security incidents or breaches are identified.
  • New threats emerge in the healthcare sector.
  • Regulatory requirements change.
  • Business associate relationships change materially.

Integrating Risk Assessment Into Operations

The risk assessment should not be an isolated compliance exercise. It should drive security decisions across your entire organization. Use assessment findings to inform:

  • Budget planning — Justify and allocate security spending based on risk priorities.
  • Vendor management — Evaluate and monitor business associates using risk findings.
  • Training programs — Target training topics based on identified workforce-related risks.
  • Policy development — Update policies to address newly identified vulnerabilities.
  • Incident response — Use threat analysis to inform incident response planning and tabletop exercises.
  • Executive reporting — Communicate risk posture and remediation progress to organizational leadership.

Organizations that treat risk assessment as a living process build stronger security programs and demonstrate the proactive compliance posture that regulators recognize and reward.

2025 OCR Enforcement: What’s at Stake

The OCR Risk Assessment Enforcement Initiative

The Office for Civil Rights launched a targeted enforcement initiative in 2025 specifically focused on organizations that have failed to conduct adequate security risk assessments. This initiative reflects a years-long pattern in OCR enforcement data: failure to conduct a risk analysis is the single most cited HIPAA violation across all enforcement actions.

The financial consequences are significant. HIPAA civil monetary penalties are structured in four tiers based on culpability:

Tier Culpability Level Penalty Per Violation Annual Maximum
Tier 1 Did not know (and could not have known) $100 – $50,000 $25,000
Tier 2 Reasonable cause (not willful neglect) $1,000 – $50,000 $100,000
Tier 3 Willful neglect — corrected $10,000 – $50,000 $250,000
Tier 4 Willful neglect — not corrected $50,000 $1,900,000

Failing to conduct any risk assessment — especially after being aware of the requirement — can land an organization in Tier 3 or Tier 4. Real enforcement cases illustrate the stakes: OCR resolved multiple cases in recent years where missing or inadequate risk assessments resulted in settlements ranging from $500,000 to $3.9 million, independent of whether an actual breach occurred.

The proposed 2025 Security Rule update (NPRM) would add additional specificity requirements for risk assessments, including explicit documentation of asset inventories, threat modeling methodologies, and remediation timelines. Organizations that build thorough assessment practices now will be well-positioned to meet these forthcoming requirements without significant rework.

Key Lessons from OCR Enforcement Actions

Patterns across OCR enforcement actions reveal what investigators consistently look for — and what most organizations get wrong:

  • Scope gaps are the most common finding. Organizations that assess only their EHR and ignore email, medical devices, or cloud storage fail the completeness standard immediately.
  • Generic templates are not sufficient. OCR has explicitly stated that filling in a pre-built questionnaire without site-specific analysis does not meet the “accurate and thorough” standard.
  • Assessments that sit on a shelf are treated as not done. If you cannot demonstrate that findings were acted upon in a remediation plan, the assessment itself offers little protection.
  • Documentation quality matters as much as the analysis. Investigators review your written records. Vague findings, undated documents, and missing sign-offs are red flags.

HIPAA Risk Assessment by Practice Type

Solo Practices and Small Clinics (1–10 Staff)

Small practices face unique challenges: limited IT staff, constrained budgets, and a tendency to treat compliance as a part-time responsibility. The good news is that the HHS SRA Tool was designed specifically for this environment. Focus areas for small practices include:

  • Cloud-based EHR security settings — vendor BAA status, encryption in transit and at rest, access controls.
  • Mobile device use — personal phones used for patient communication, telehealth apps, and email.
  • Remote work environments if staff work from home even occasionally.
  • Reception area risks — screen visibility, verbal PHI disclosures, visitor access.

For a solo practitioner or small group, a realistic first assessment takes 2–3 focused days using the SRA Tool plus a physical walkthrough. The HIPAA compliance starter kit for small practices pairs well with your risk assessment to ensure policy gaps are addressed alongside technical findings.

Dental Offices

Dental practices handle a concentrated mix of ePHI types: clinical charting, radiographs, treatment photos, insurance billing data, and patient demographics. Common high-risk findings in dental offices include:

  • Legacy practice management software (Dentrix, Eaglesoft) that may not support modern encryption or MFA.
  • Digital radiograph systems on isolated workstations without patch management.
  • Patient photos stored in shared folders without access controls.
  • Front-desk workstations visible to waiting room patients.
  • Vendor relationships (imaging services, billing companies, patient communication platforms) without current BAAs.

See our complete guide to HIPAA compliance for dental offices for a full breakdown of dental-specific requirements and common violation patterns.

Behavioral Health Providers

Behavioral health practices carry heightened sensitivity obligations. Mental health and substance use disorder records have additional federal protections under 42 CFR Part 2 (in addition to HIPAA), and the consequences of a breach can be especially harmful to patients. Risk assessment priorities for behavioral health include:

  • Strict access controls on session notes and treatment records — limiting who within the organization can view sensitive records.
  • Telehealth platform security, particularly for video sessions conducted on consumer platforms.
  • Patient portal access and communication security.
  • Staff training on the distinction between HIPAA requirements and the stricter Part 2 protections for substance use disorder records.
  • Physical privacy in shared office buildings or multi-tenant suites.

Business Associates

Business associates are independently responsible for conducting their own HIPAA risk assessments. A covered entity’s assessment does not extend to its business associates’ environments. If you are a business associate — a billing service, IT vendor, transcription company, cloud storage provider, or consulting firm that handles ePHI — your HIPAA obligations are essentially identical to those of a covered entity with respect to the Security Rule.

Business associates should pay particular attention to:

  • The specific ePHI they receive from each covered entity client and how it is segregated.
  • Sub-contractor (downstream business associate) relationships and whether sub-BAAs are in place.
  • Breach notification obligations to covered entities and the contractual timelines in BAAs.

Our dedicated guide to HIPAA risk assessments for business associates covers the specific requirements and common gaps in BA assessment programs.

Frequently Asked Questions

What is the difference between a HIPAA risk analysis and a risk assessment?

The terms are used interchangeably in common usage, but they refer to distinct regulatory requirements. The risk analysis (45 CFR 164.308(a)(1)(ii)(A)) is the identification and evaluation of threats and vulnerabilities to ePHI. Risk management (45 CFR 164.308(a)(1)(ii)(B)) is the broader process of implementing security measures to reduce identified risks to a reasonable level. HIPAA requires both. Completing only the analysis without acting on findings in a remediation plan does not satisfy the Security Rule.

How long does a HIPAA risk assessment take?

For a small practice (1–10 staff), a thorough assessment using the HHS SRA Tool typically takes 8–16 hours of staff time over 1–2 weeks. Mid-sized medical groups with multiple systems and locations generally need 3–6 weeks. Large health systems with complex infrastructure may require 2–4 months working with an outside consultant. Thoroughness matters more than speed — rushing through an assessment to meet a deadline undermines its value and may not satisfy OCR expectations.

Can I use the free HHS SRA Tool for my risk assessment?

Yes. HHS and ONC offer a free Security Risk Assessment Tool (updated to v3.6 in 2025) that guides covered entities and business associates through the process required under 45 CFR 164.308. It produces exportable reports suitable for OCR audit documentation. Download it free at healthit.gov. The tool is best suited for small and medium-sized practices; larger organizations with complex environments may need supplementary assessments.

What happens if I don’t conduct a HIPAA risk assessment?

Failure to conduct a risk assessment is the most frequently cited violation in OCR enforcement actions. Penalties for this deficiency alone range from $100 to $50,000 per violation, with annual maximums up to $1.9 million for willful neglect. OCR launched a targeted enforcement initiative in 2025 specifically focused on this deficiency. Beyond financial penalties, organizations without a documented risk assessment have no defensible basis for the security decisions they have — or have not — made. Review our OCR audit program guide for a full overview of what investigators examine.

How often is a HIPAA risk assessment required?

HIPAA does not specify a fixed interval, but OCR guidance and enforcement precedent establish annual assessment as the expected minimum. A new or updated assessment is also required whenever there is a significant operational change: implementing a new EHR system, opening a new location, experiencing a security incident, changing key business associate relationships, or onboarding major new technology. Build risk assessment into your annual compliance calendar rather than treating it as a one-time task.

Do business associates need to conduct their own risk assessments?

Yes. Business associates are independently required to conduct their own HIPAA security risk assessments under 45 CFR 164.308(a)(1). A covered entity’s risk assessment does not cover the business associate’s own systems and environments. Covered entities should confirm as part of BAA oversight that their business associates conduct regular risk assessments. See our guide to HIPAA risk assessments for business associates for the specific requirements.

Risk Assessment Takeaways

A thorough HIPAA risk assessment is the foundation for every other compliance action your organization takes. Without knowing where ePHI exists, what threatens it, and how well your controls perform, you cannot make informed security decisions. Spending, policy development, and incident response all depend on the knowledge a rigorous assessment produces.

The step-by-step process in this guide — from scoping and asset inventory through threat identification, vulnerability analysis, risk scoring, and remediation planning — gives you a repeatable methodology that meets regulatory expectations and genuinely improves your security posture. Organizations that conduct honest, thorough risk assessments and act on their findings avoid breaches, withstand OCR scrutiny, and earn the trust of patients and partners.

One Guy Consulting helps healthcare organizations conduct comprehensive HIPAA risk assessments that satisfy regulatory requirements and produce actionable results. Our founder, Chuck Weiselberg, is a Certified HIPAA Professional (C.H.P.) with 10+ years of hands-on HIPAA compliance experience, having supported compliance officers at hundreds of healthcare organizations through assessment cycles without a single audit failure. Start your security risk assessment with One Guy Consulting or explore our complete HIPAA compliance guide for the broader regulatory context.

Sources

Related Reading: HIPAA risk assessment requirements for business associatesWhat is a HIPAA gap analysis and how does it differ from a risk assessment?Complete HIPAA compliance guide for 2026

Risk Assessments by Practice Type

Risk factors differ significantly by specialty. For detailed compliance guidance tailored to your organization type, see our guides for dental practices, behavioral health providers, pharmacies, and medical practices.

Related Reading

More archive content for healthcare teams working through HIPAA operations, policy, and risk.

All Articles