HIPAA Security Risk
Assessment
A HIPAA Security Risk Assessment (SRA) is required for all covered entities and business associates under 45 CFR §164.308(a)(1)(ii)(A). It identifies threats and vulnerabilities to electronic protected health information (ePHI). It also forms the base of Security Rule compliance.
What Is a HIPAA Security Risk Assessment?
A HIPAA Security Risk Assessment (SRA) is a required analysis under 45 CFR §164.308(a)(1)(ii)(A). It identifies risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
The SRA is the most common problem found in OCR enforcement actions and HIPAA audits.
Key Definitions
Electronic Protected Health Information (ePHI) is protected health information that is created, received, maintained, or transmitted in electronic form (45 CFR §160.103).
This includes data in EHR systems, email, digital imaging, cloud storage, mobile devices, and any electronic medium containing individually identifiable health information.
Security Risk Assessment (SRA) is the process of finding expected threats to ePHI. It also rates the likely impact of each threat and records the controls used to reduce risk.
This requirement is in the HIPAA Security Rule's Administrative Safeguards at §164.308(a)(1)(ii)(A).
Covered Entity means a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with a covered transaction (45 CFR §160.103).
Business Associate is a person or entity that performs functions involving PHI on behalf of a covered entity (45 CFR §160.103). Business associates are independently required to conduct their own SRA under the Security Rule.
What the HIPAA Security Rule Requires in a Risk Assessment
The HIPAA Security Rule (45 CFR Part 164, Subpart C) does not require one set SRA method. However, OCR's Guidance on Risk Analysis and its enforcement actions set clear expectations.
NIST SP 800-30 (Guide for Conducting Risk Assessments) and NIST SP 800-66 (Implementing the HIPAA Security Rule) offer accepted frameworks to meet this requirement. Key elements include:
- Scope - Identify all ePHI the organization creates, receives, keeps, or sends. Include data at rest and data in transit across systems, devices, and locations.
- Threat identification - Record expected threats to ePHI. Examples include natural disasters, human error, insider threats, malware, ransomware, and unauthorized access. Organizations that do not have a documented incident response and management program are more exposed when a threat occurs.
- Vulnerability assessment - Identify gaps in administrative safeguards (§164.308), physical safeguards (§164.310), and technical safeguards (§164.312). SRA work often finds weak physical safeguard controls and missing device and IT audit records.
- Likelihood and impact analysis - Rate how likely each threat is to exploit a gap. Then rate the impact on ePHI confidentiality, integrity, and availability.
- Risk rating - Assign risk levels to each threat and gap pair. Use those ratings to set remediation priority.
- Remediation plan - Record security steps that reduce risks to a reasonable and appropriate level under §164.306(b). OGC builds HIPAA remediation plans with phases, owners, and evidence checkpoints.
- Documentation - Keep the SRA and all supporting records for at least six years under §164.530(j).
Who Must Conduct a HIPAA Security Risk Assessment
The HIPAA Security Rule applies broadly. The following organizations are required to conduct and document a Security Risk Assessment:
- All covered entities, regardless of size.
- Solo practitioners, group practices, hospitals, health plans, and clearinghouses.
- All business associates that create, receive, maintain, or transmit ePHI.
- Organizations that added new systems, telehealth workflows, or remote work setups that changed their ePHI exposure.
- Organizations preparing for OCR (Office for Civil Rights) reviews, payer credentialing, Mergers and Acquisitions due diligence, or contract security rules. Many pair this work with a HIPAA gap analysis.
OCR expects the SRA to be reviewed and updated at least annually or whenever significant changes occur in the organization's environment, operations, or technology.
SRA Enforcement and Penalties
Civil Monetary Penalties
Failure to conduct a Security Risk Assessment is the most frequently cited violation in OCR enforcement actions. Civil monetary penalties range from $141 to $2,134,831 per violation category per calendar year under 45 CFR §160.404.
Notable OCR Settlements for SRA Failures
OCR has settled cases against organizations of all sizes for failing to conduct an adequate risk analysis. This includes solo practitioners and large health systems. The following enforcement actions show the range of exposure:
- Banner Health (2023) - $1,250,000 settlement after a 2016 breach affecting 2.81 million individuals. OCR found failure to conduct an enterprise-wide risk analysis.
- CHSPSC LLC (2020) - $2,300,000 settlement after a breach affecting 6.1 million individuals. OCR cited failure to conduct a compliant risk analysis.
- Cardionet (2017) - $2,500,000 settlement. OCR found that the wireless health services provider had not done a complete risk analysis before a laptop theft exposed ePHI.
- Steven A. Porter, M.D. (2020) - $100,000 settlement for a solo practitioner who failed to conduct any risk analysis. The case shows that OCR enforces the rule regardless of organization size.
OIG Findings and Breach Notification Exposure
The HHS Office of Inspector General (OIG) has also found missing or incomplete risk assessments across healthcare. Breach notification rules under 45 CFR §§164.400–414 add more exposure when an SRA gap helps cause a reportable incident.
Authoritative Guidance References
The following federal resources define the methodology and documentation standards OCR applies when evaluating SRA compliance:
- OCR Guidance on Risk Analysis - HHS guidance on SRA scope and method.
- NIST SP 800-30 Rev. 1 - Guide for Conducting Risk Assessments.
- NIST SP 800-66 Rev. 2 - Implementing the HIPAA Security Rule.
- HHS/ONC Security Risk Assessment Tool - Free SRA tool for small and medium healthcare organizations.
Seven-Phase Methodology
Each phase includes practical checkpoints so the process does not drift into theory. Clear owners and target dates from the first week.
Scoping and Discovery
Confirm legal entity structure, service lines, locations, systems in scope, vendor dependencies, and where ePHI actually flows.
Data Flow and Asset Mapping
Document data entry points, repositories, integrations, endpoints, and admin pathways that affect confidentiality, integrity, and availability.
Safeguard Review
Review administrative, physical, and technical controls against HIPAA intent. Check whether each control works in your environment. This phase often finds the same gaps as a HIPAA gap analysis.
Threat and Vulnerability Analysis
Evaluate realistic failure scenarios including access control failures, vendor issues, endpoint exposure, and process gaps.
Risk Scoring and Prioritization
Each finding is rated for likelihood and impact so leadership can see what must be addressed first, ranked, not listed.
Remediation Planning
Turn findings into a phased work plan. Include owners, effort, dependencies, and work order.
Executive Readout
Deliver an audit-ready package and decision briefing so leaders can approve and fund the right next steps quickly.
SRA Phase to Regulatory Crosswalk
Each phase of the SRA methodology links to specific HIPAA Security Rule provisions, OCR guidance, and NIST framework references. This mapping shows how each deliverable meets regulatory requirements.
Where SRA Programs Expose Gaps
Patterns observed across healthcare SRA engagements by safeguard type and remediation timeline.
Risk Distribution by Safeguard Type
Share of findings at engagement start
Types
- Administrative46%
- Technical37%
- Physical17%
Risk Reduction Over 90 Days
Measured against baseline gap score by milestone
Representative pattern. Results vary by org size and starting posture.
Typical Risk Posture Score
Before vs. after SRA engagement
Target post-engagement metrics
From Policy on Paper to Closed Findings
The Situation
A multi-location outpatient group thought their HIPAA program was in good shape. During due diligence with a larger referral partner, they were asked for a current SRA and remediation evidence. Their existing assessment was too high-level and didn't reflect a cloud migration or new remote workflows.
What We Found
Inconsistent role-based access reviews, weak deprovisioning speed for departing users, and incomplete vendor due diligence for one integration path handling ePHI. No consistent process for documenting security exceptions and control compensations.
The Outcome
Full risk inventory, scored findings, and a 90-day remediation plan. Passed partner diligence. Gained a repeatable internal process for reassessing risk after operational changes, shifting from reactive compliance to predictable risk governance.
About the Auditor
Chuck Weiselberg, C.H.P. (Certified HIPAA Professional) is the founder of One Guy Consulting and the lead assessor on all SRA engagements. He has over 20 years of experience supporting customers in achieving their compliance goals, with 10 of those years focused exclusively on HIPAA compliance as a Subject Matter Expert.
He has supported thousands of users at healthcare organizations. He helps Compliance Officers build risk-based compliance programs. None of those customers have failed an audit or received a fine. This track record reflects a repeatable method based on HIPAA rules, practical remediation planning, and audit-ready records.
SRA Considerations by Specialty
We tailor findings and the remediation plan to your practice type so the work is realistic and measurable, not copied from a generic template.
Dental Practices
Shared operatory workflows, imaging systems, and front-desk crossover access patterns.
Behavioral Health
Documentation sensitivity, session privacy controls, and communication channel governance.
Medical Practices
Multi-role access management and EHR workflow segmentation across care teams.
Pharmacies
System integration controls, dispensing-related access paths, and vendor control assurances.
Business Associates
Client-mandated evidence standards, subcontractor governance, and response SLAs.
SRA Deliverables
Documented Risk Analysis
Risk inventory mapped to your specific environment, not a generic template output.
Prioritized Remediation Roadmap
Clear owners, sequenced actions, and measurable outcomes tied to each finding.
Executive Summary
Leadership-ready briefing for compliance stakeholders, payers, and board review.
Implementation Guidance
Practical direction for converting each finding into a completed control improvement.
Audit Evidence Support
Framing and documentation structure designed for audit, contract, and due diligence use.
Deep-Dive Resources
These articles explain SRA scope, process, timing, and next steps:
Frequently Asked Questions
Risk Intelligence
Where SRA Programs Expose Gaps
Patterns observed across healthcare SRA engagements by safeguard type and remediation timeline.
Data Breach Risk Calculator
Answer eight questions about your current security controls and get an instant risk score. Takes under two minutes. No email required.
Several areas need attention. Prioritize the highest-scoring categories to reduce exposure.
Top Priority AreasThis calculator provides an estimate for educational purposes only. A comprehensive Security Risk Assessment involves detailed analysis of your specific environment, workflows, and threat landscape. Scores are not a substitute for a formal HIPAA Security Risk Analysis.
Begin Your Security Risk Assessment
An introductory call covers scoping, expected timeline, and a fixed or range-based quote based on your organization's size and complexity.
Book a 30-Minute Intro | Free