HIPAA Security Risk
Assessment
A HIPAA Security Risk Assessment (SRA) is required under 45 CFR §164.308(a)(1)(ii)(A) for all covered entities and business associates. It identifies threats and vulnerabilities to electronic protected health information (ePHI) and forms the foundation of Security Rule compliance.
What Is a HIPAA Security Risk Assessment?
A HIPAA Security Risk Assessment (SRA) is a required analysis under 45 CFR §164.308(a)(1)(ii)(A). It identifies risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
The SRA is the single most cited deficiency in OCR enforcement actions and HIPAA audit findings.
Key Definitions
Electronic Protected Health Information (ePHI) is protected health information that is created, received, maintained, or transmitted in electronic form (45 CFR §160.103).
This includes data in EHR systems, email, digital imaging, cloud storage, mobile devices, and any electronic medium containing individually identifiable health information.
Security Risk Assessment (SRA) is the process of identifying reasonably anticipated threats to ePHI, assessing the likelihood and impact of each threat, and documenting the security measures in place to mitigate identified risks.
The requirement appears in the HIPAA Security Rule's Administrative Safeguards at §164.308(a)(1)(ii)(A).
Covered Entity means a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with a covered transaction (45 CFR §160.103).
Business Associate is a person or entity that performs functions involving PHI on behalf of a covered entity (45 CFR §160.103). Business associates are independently required to conduct their own SRA under the Security Rule.
What the HIPAA Security Rule Requires in a Risk Assessment
The HIPAA Security Rule (45 CFR Part 164, Subpart C) does not prescribe a specific SRA methodology. However, OCR's Guidance on Risk Analysis and enforcement actions establish clear expectations.
NIST SP 800-30 (Guide for Conducting Risk Assessments) and NIST SP 800-66 (Implementing the HIPAA Security Rule) provide widely accepted frameworks for satisfying this requirement. Key elements include:
- Scope — Identify all ePHI the organization creates, receives, maintains, or transmits, including data at rest and in transit across all systems, devices, and locations.
- Threat identification — Document reasonably anticipated threats to ePHI, including natural disasters, human error, insider threats, malware, ransomware, and unauthorized access.
- Vulnerability assessment — Identify vulnerabilities in administrative safeguards (§164.308), physical safeguards (§164.310), and technical safeguards (§164.312).
- Likelihood and impact analysis — Assess the probability of each threat exploiting a vulnerability and the potential impact on ePHI confidentiality, integrity, and availability.
- Risk rating — Assign risk levels to each identified threat-vulnerability combination to prioritize remediation.
- Remediation plan — Document security measures to reduce identified risks to a reasonable and appropriate level per §164.306(b).
- Documentation — The SRA and all supporting documentation must be retained for a minimum of six years per §164.530(j).
Who Must Conduct a HIPAA Security Risk Assessment
- All covered entities (regardless of size, solo practitioners, group practices, hospitals, health plans, and clearinghouses)
- All business associates that create, receive, maintain, or transmit ePHI
- Organizations that have added new systems, telehealth workflows, or remote work configurations that changed their ePHI exposure
- Organizations preparing for OCR (Office for Civil Rights) compliance reviews, payer credentialing, Mergers and Acquisitions due diligence, or contractual security requirements
OCR expects the SRA to be reviewed and updated at least annually or whenever significant changes occur in the organization's environment, operations, or technology.
SRA Enforcement and Penalties
Civil Monetary Penalties
Failure to conduct a Security Risk Assessment is the most frequently cited violation in OCR enforcement actions. Civil monetary penalties range from $141 to $2,134,831 per violation category per calendar year under 45 CFR §160.404.
Notable OCR Settlements for SRA Failures
- Banner Health (2023) — $1,250,000 settlement after a 2016 breach affecting 2.81 million individuals. OCR found failure to conduct an enterprise-wide risk analysis.
- CHSPSC LLC (2020) — $2,300,000 settlement following a breach affecting 6.1 million individuals. OCR cited failure to conduct a compliant risk analysis across the organization.
- Cardionet (2017) — $2,500,000 settlement. OCR determined the wireless health services provider had not conducted an accurate and thorough risk analysis prior to a laptop theft exposing ePHI.
- Steven A. Porter, M.D. (2020) — $100,000 settlement for a solo practitioner who failed to conduct any risk analysis, demonstrating OCR enforces regardless of organization size.
OIG Findings and Breach Notification Exposure
The HHS Office of Inspector General (OIG) has also identified incomplete or missing risk assessments as a systemic deficiency across the healthcare industry in multiple reports to Congress. Breach notification requirements under 45 CFR §§164.400–414 create additional compliance exposure when an SRA gap contributes to a reportable incident.
Authoritative Guidance References
- OCR Guidance on Risk Analysis — HHS guidance document outlining OCR expectations for SRA scope and methodology
- NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments, widely used as a methodological framework for HIPAA SRAs
- NIST SP 800-66 Rev. 2 — Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide
- HHS/ONC Security Risk Assessment Tool — Free SRA tool developed by ONC and OCR for small and medium healthcare organizations
Seven-Phase Methodology
Each phase includes practical checkpoints so the process does not drift into theory. Clear owners and target dates from the first week.
Scoping and Discovery
Confirm legal entity structure, service lines, locations, systems in scope, vendor dependencies, and where ePHI actually flows.
Data Flow and Asset Mapping
Document data entry points, repositories, integrations, endpoints, and admin pathways that affect confidentiality, integrity, and availability.
Safeguard Review
Administrative, physical, and technical controls reviewed against HIPAA intent and practical effectiveness in your specific environment.
Threat and Vulnerability Analysis
Evaluate realistic failure scenarios including access control failures, vendor issues, endpoint exposure, and process gaps.
Risk Scoring and Prioritization
Each finding is rated for likelihood and impact so leadership can see what must be addressed first, ranked, not listed.
Remediation Planning
Findings converted into a phased work plan with owners, estimated effort, dependencies, and implementation sequence.
Executive Readout
Deliver an audit-ready package and decision briefing so leaders can approve and fund the right next steps quickly.
SRA Phase to Regulatory Crosswalk
Each phase of the SRA methodology maps to specific HIPAA Security Rule provisions, OCR guidance expectations, and NIST framework references. This crosswalk shows how each deliverable satisfies regulatory requirements.
Where SRA Programs Expose Gaps
Patterns observed across healthcare SRA engagements by safeguard type and remediation timeline.
Risk Distribution by Safeguard Type
Share of findings at engagement start
Types
- Administrative46%
- Technical37%
- Physical17%
Risk Reduction Over 90 Days
Measured against baseline gap score by milestone
Representative pattern. Results vary by org size and starting posture.
Typical Risk Posture Score
Before vs. after SRA engagement
Target post-engagement metrics
From Policy on Paper to Closed Findings
The Situation
A multi-location outpatient group thought their HIPAA program was in good shape. During due diligence with a larger referral partner, they were asked for a current SRA and remediation evidence. Their existing assessment was too high-level and didn't reflect a cloud migration or new remote workflows.
What We Found
Inconsistent role-based access reviews, weak deprovisioning speed for departing users, and incomplete vendor due diligence for one integration path handling ePHI. No consistent process for documenting security exceptions and control compensations.
The Outcome
Full risk inventory, scored findings, and a 90-day remediation plan. Passed partner diligence. Gained a repeatable internal process for reassessing risk after operational changes, shifting from reactive compliance to predictable risk governance.
About the Auditor
Chuck Weiselberg, C.H.P. (Certified HIPAA Professional) is the founder of One Guy Consulting and the lead assessor on all SRA engagements. He has over 20 years of experience supporting customers in achieving their compliance goals, with 10 of those years focused exclusively on HIPAA compliance as a Subject Matter Expert.
He has supported thousands of users at healthcare organizations, helping Compliance Officers implement risk-based compliance programs — none of whom have failed an audit or received a fine. This track record reflects a repeatable methodology grounded in regulatory requirements, practical remediation planning, and documentation standards that satisfy OCR scrutiny.
SRA Considerations by Specialty
We tailor findings and the remediation plan to your practice type so the work is realistic and measurable, not copied from a generic template.
Dental Practices
Shared operatory workflows, imaging systems, and front-desk crossover access patterns.
Behavioral Health
Documentation sensitivity, session privacy controls, and communication channel governance.
Medical Practices
Multi-role access management and EHR workflow segmentation across care teams.
Pharmacies
System integration controls, dispensing-related access paths, and vendor control assurances.
Business Associates
Client-mandated evidence standards, subcontractor governance, and response SLAs.
SRA Deliverables
Documented Risk Analysis
Risk inventory mapped to your specific environment, nota generic template output.
Prioritized Remediation Roadmap
Clear owners, sequenced actions, and measurable outcomes tied to each finding.
Executive Summary
Leadership-ready briefing for compliance stakeholders, payers, and board review.
Implementation Guidance
Practical direction for converting each finding into a completed control improvement.
Audit Evidence Support
Framing and documentation structure designed for audit, contract, and due diligence use.
Deep-Dive Resources
If you are evaluating SRA scope or preparing internal buy-in, these articles break down process, timing, and implementation detail:
Frequently Asked Questions
Risk Intelligence
Where SRA Programs Expose Gaps
Patterns observed across healthcare SRA engagements by safeguard type and remediation timeline.
Data Breach Risk Calculator
Answer eight questions about your current security controls and get an instant risk score. Takes under two minutes — no email required.
Several areas need attention. Prioritize the highest-scoring categories to reduce exposure.
Top Priority AreasThis calculator provides an estimate for educational purposes only. A comprehensive Security Risk Assessment involves detailed analysis of your specific environment, workflows, and threat landscape. Scores are not a substitute for a formal HIPAA Security Risk Analysis.
Begin Your Security Risk Assessment
An introductory call covers scoping, expected timeline, and a fixed or range-based quote based on your organization's size and complexity.
Book a 30-Minute Intro | Free