What Is a HIPAA Security Risk Assessment?
A HIPAA Security Risk Assessment (SRA) is a formal, documented process required by the HIPAA Security Rule (45 CFR § 164.308(a)(1)(ii)(A)). It requires every covered entity and business associate to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability (CIA) of all electronic protected health information (ePHI) they create, receive, maintain, or transmit.
This isn't optional. The SRA is one of the most cited violations in OCR enforcement actions. In 2023 and 2024, failure to conduct a proper SRA or failure to maintain risk management policies was the most common finding in OCR audits and settlements — often resulting in penalties ranging from $250,000 to several million dollars.
Who Must Conduct an SRA?
- Covered entities: Healthcare providers that transmit health information electronically (hospitals, clinics, physician practices, pharmacies), health plans, and healthcare clearinghouses
- Business associates: Any organization that creates, receives, maintains, or transmits ePHI on behalf of a covered entity — including SaaS platforms, cloud hosting providers, EHR vendors, billing services, data analytics companies, and any other healthcare technology provider
If you're a SaaS company that has signed or should sign a HIPAA Business Associate Agreement (BAA), you are a business associate and the SRA applies to you.
The 9 Required Elements of a HIPAA SRA
OCR's guidance ("Guidance on Risk Analysis Requirements under the HIPAA Security Rule") outlines 9 required elements that every SRA must address:
| # | Element | What It Means in Practice |
|---|---|---|
| 1 | Scope of the analysis | Identify all ePHI your organization creates, receives, maintains, or transmits — including cloud systems, databases, mobile apps, APIs, email, backups, and paper records converted to electronic form |
| 2 | Data collection | Document where ePHI lives: which systems, databases, applications, and devices. Many organisations undercount — don't forget analytics tools, customer support systems, and backup storage |
| 3 | Identify and document potential threats and vulnerabilities | Threats: malware/ransomware, phishing, insider threat, unauthorised access, natural disasters, hardware failure. Vulnerabilities: unpatched software, weak access controls, lack of encryption, missing MFA |
| 4 | Assess current security measures | Evaluate what you have in place: encryption, MFA, RBAC, audit logging, backup procedures, training programmes |
| 5 | Determine the likelihood of threat occurrence | For each threat/vulnerability pair: how likely is exploitation? Consider: threat capability, vulnerability severity, existing controls |
| 6 | Determine the potential impact of threat occurrence | If exploited: impact on confidentiality (data breach), integrity (data corruption), availability (system downtime). Consider patient safety implications |
| 7 | Determine level of risk | Combine likelihood × impact to get a risk level (High/Medium/Low). Document your methodology — any consistent approach is acceptable |
| 8 | Finalize documentation | The SRA must be written and maintained. "Documented" is not optional. A meeting without minutes does not constitute a SRA |
| 9 | Periodic review and updates | The SRA is not a one-time exercise. It must be reviewed and updated when operations, systems, or the threat landscape materially change — and at least annually |
Common SRA Mistakes That Get Caught in OCR Audits
- Scoping only the EHR: The SRA must cover all systems that create, receive, maintain, or transmit ePHI. This includes your cloud infrastructure, email, customer support tools (if support agents see ePHI), analytics dashboards, backup systems, and any third-party integrations.
- No documentation: OCR consistently asks for the written SRA during investigations. "We did it verbally" is not acceptable. Use the HIPAA SRA Generator to produce a properly structured document.
- No risk management follow-through: Identifying risks without documenting treatment decisions is incomplete. For each identified risk, you must document: accept, mitigate, transfer (insurance/contractual), or avoid.
- Treating the SRA as a one-time exercise: The SRA must be updated when you add new ePHI systems, change cloud providers, onboard new BAAs, experience a security incident, or when the threat landscape significantly changes.
- Missing BAAs: The SRA often reveals third-party systems that touch ePHI without a BAA in place. Fix this immediately — a missing BAA is a separate HIPAA violation. Use the HIPAA BAA Generator to create the agreements.
- Confusing HIPAA Privacy Rule with Security Rule: The Privacy Rule governs what ePHI you can use/disclose. The Security Rule (and SRA) governs how you protect it. Both apply to business associates.
HIPAA Security Rule Safeguard Categories
Your SRA should assess controls across all three safeguard categories:
Administrative Safeguards (§ 164.308)
The largest category — covers your policies, procedures, and people:
- Risk management process (the SRA itself, plus treatment decisions)
- Workforce clearance procedures and access authorisation
- Security awareness and training programme
- Security incident procedures
- Contingency planning (BCP/DRP, backup plan, disaster recovery plan)
- Business associate contracts and oversight
Physical Safeguards (§ 164.310)
Often the easiest for cloud-first SaaS companies — your cloud provider handles most of it:
- Facility access controls (data centre security — covered by AWS/GCP/Azure if you use them and have their BAA)
- Workstation use restrictions
- Device and media controls (secure disposal of hardware, full-disk encryption)
Technical Safeguards (§ 164.312)
The most technical category:
- Access control (unique user IDs, auto-logoff, encryption at rest)
- Audit controls (logging of ePHI access and modifications)
- Integrity controls (checksums, data validation)
- Transmission security (TLS 1.2+ for all ePHI in transit)
The Encryption Safe Harbour
One of the most important — and often overlooked — provisions in HIPAA is the encryption safe harbour in the Breach Notification Rule (45 CFR § 164.402). If ePHI is properly encrypted at rest and in transit, a breach of that encrypted data is not a "reportable breach" unless the encryption key was also compromised.
This means that encryption is not just a Security Rule requirement — it's your primary protection against mandatory breach notification to HHS, affected individuals, and (for large breaches) the media. For SaaS companies handling ePHI, this is the single highest-ROI security investment you can make.
Minimum encryption standard: AES-128 or higher for data at rest; TLS 1.2 or higher for data in transit. Most modern cloud databases (RDS, Cloud SQL, Firestore) offer encryption at rest by default — verify it's enabled.
How Often to Conduct the SRA
HIPAA doesn't specify a fixed frequency (unlike many regulations that require "annual" reviews). Instead, it requires review and update "on a periodic basis" or when "environmental or operational changes" occur. OCR's guidance suggests annual reviews as best practice, plus updates triggered by:
- Adding new ePHI systems or integrations
- Changing cloud providers or infrastructure
- Significant workforce changes (large hiring, layoffs, reorganisation)
- Security incidents
- Changes to your service scope with covered entity customers
- New threat intelligence relevant to your systems
OCR Enforcement: What's at Stake
HIPAA civil penalties have four tiers:
| Tier | Culpability | Per Violation | Annual Cap |
|---|---|---|---|
| 1 | Unknowing violation | $100–$50,000 | $1.5 million |
| 2 | Reasonable cause (knew or should have known) | $1,000–$50,000 | $1.5 million |
| 3 | Willful neglect — corrected within 30 days | $10,000–$50,000 | $1.5 million |
| 4 | Willful neglect — not corrected | $50,000 | $1.9 million |
Failing to conduct an SRA at all, or conducting one that OCR deems inadequate, typically falls into Tier 2 ("knew or should have known") or worse. Recent settlements for SRA failures: $1.5M (Eyefinity, 2024), $950K (Heritage Valley Health System, 2023), $875K (multiple small providers in 2024 right-of-access enforcement).
Generate Your HIPAA SRA
The ComplyKit HIPAA Security Risk Assessment Generator walks you through all three safeguard categories across 23 controls. It generates a formatted SRA report covering scope, ePHI inventory, threat/vulnerability assessment, risk levels, and remediation roadmap — ready to present to OCR or an auditor.
Supporting documents you'll also need:
- HIPAA BAA — for every vendor who touches ePHI
- Incident Response Plan — including HIPAA Breach Notification Rule procedures
- BCP/DRP — contingency planning requirement under § 164.308(a)(7)
- Information Security Policy — covering all administrative safeguards
⚠️ This guide is for informational purposes and does not constitute legal or compliance advice. HIPAA compliance should be reviewed by qualified healthcare legal counsel. OCR does not endorse any commercial SRA tool.