Why You Need a Structured Risk Assessment Framework
The Security Risk Assessment is the single most important HIPAA compliance requirement — and the one most frequently cited by OCR in enforcement actions. Yet many organizations either skip it entirely or conduct assessments that fail to meet OCR’s expectations. The difference between a passing SRA and one that triggers penalties comes down to methodology, documentation, and thoroughness.
This template provides the framework OCR expects to see. It covers all elements required by 45 CFR § 164.308(a)(1)(ii)(A) and aligns with NIST SP 800-30 methodology, which OCR has endorsed as the gold standard for healthcare risk assessment.
Step 1: Define Your Scope and Asset Inventory
Before assessing risk, you must know what you’re protecting. Your asset inventory should document every system, device, and location where ePHI is created, received, maintained, or transmitted.
Electronic systems: EHR/practice management systems, billing platforms, patient portals, email systems, cloud storage services, scheduling software, lab and imaging interfaces, telehealth platforms, and any other software that touches patient data.
Hardware: Workstations, laptops, tablets, smartphones, servers, network equipment (routers, switches, firewalls), printers/copiers/fax machines, medical devices that store or transmit patient data, and removable media (USB drives, external hard drives).
Physical locations: All office locations, server rooms, data centers (including cloud), home offices (if staff access ePHI remotely), and off-site storage for paper records or backup media.
Data flows: Map how ePHI moves through your organization. Where does it enter (patient intake forms, referrals, lab results)? Where is it stored? Who accesses it? Where does it go when it leaves (claims submissions, referral letters, patient portal messages)? Each data flow is a potential vulnerability that must be assessed.
Step 2: Identify Threats and Vulnerabilities
For each asset and data flow, identify what could go wrong. OCR expects you to consider both threat sources and the vulnerabilities they exploit.
Human threats: External attackers (phishing, ransomware, credential stuffing), malicious insiders (disgruntled employees, snooping), and unintentional errors (misdirected emails, lost devices, improper disposal).
Environmental threats: Natural disasters (floods, fires, storms), power failures, and hardware failures that could destroy or make ePHI inaccessible.
Technical vulnerabilities: Unpatched software, weak passwords, lack of MFA, unencrypted data, misconfigured firewalls, unsecured wireless networks, outdated operating systems, and insufficient backup systems.
Administrative vulnerabilities: Lack of written policies, insufficient workforce training, no incident response plan, missing or outdated BAAs, and failure to enforce sanctions for policy violations.
Step 3: Assess Current Security Controls
Document what safeguards are already in place. For each HIPAA Security Rule standard, record your current implementation status. Key areas include access controls and authentication (who can access what, and how do they prove identity), encryption status for data at rest and in transit, audit logging and monitoring capabilities, physical security measures (locks, cameras, badge access), backup and disaster recovery procedures, workforce training program and frequency, incident detection and response procedures, and business associate management (BAA inventory, vendor oversight).
Be honest in this assessment. The purpose is to identify gaps, not to create a passing document. OCR investigators can tell the difference between a genuine assessment and a checkbox exercise.
Step 4: Determine Risk Levels
For each identified threat-vulnerability pair, assess the likelihood of occurrence and the potential impact if it occurs. Use a consistent rating scale.
Likelihood scale: Low — the threat source is unlikely to exploit the vulnerability given current controls. Medium — the threat source could exploit the vulnerability; the controls in place provide moderate protection. High — the threat source is highly motivated and capable, and current controls are inadequate.
Impact scale: Low — exploitation would result in limited harm to individuals or the organization. Medium — exploitation would result in significant harm (financial loss, operational disruption, harm to a small number of individuals). High — exploitation would result in severe harm (large-scale breach, regulatory penalties, significant harm to many individuals, business-threatening consequences).
Risk level: Combine likelihood and impact to determine overall risk. High likelihood + High impact = Critical risk requiring immediate action. Any combination involving “High” in either dimension = High risk requiring priority remediation. Medium/Medium = Moderate risk requiring planned remediation. Low combinations = Low risk that should be documented and monitored.
Step 5: Create Your Risk Management Plan
This is where many organizations fall short. Identifying risks is not enough — OCR requires documented evidence that you have a plan to address them. For each risk rated Medium or above, document the specific remediation action planned, the person responsible for implementing it, the target completion date, the resources needed (budget, tools, personnel), and the acceptable residual risk after remediation.
Not every risk can be eliminated. Some must be mitigated (reduced to an acceptable level), some can be transferred (through cyber insurance or vendor contracts), and some may be accepted if the cost of remediation significantly exceeds the potential impact. Document your rationale for each decision.
Step 6: Document and Maintain
Your SRA documentation must be retained for at least six years. It should include the date the assessment was conducted, the methodology used, the individuals who participated, the complete asset inventory, all identified threats and vulnerabilities, current security controls assessment, risk ratings and rationale, the risk management plan with remediation timelines, and evidence of management review and approval.
The SRA is not a one-time exercise. HIPAA requires ongoing risk management. Reassess whenever there is a significant change to your environment (new EHR system, office move, merger), after a security incident, when new threats emerge (such as a new ransomware variant targeting healthcare), and at minimum annually to ensure your assessment remains current.
Common SRA Mistakes That Trigger OCR Penalties
Using a checklist instead of a risk analysis: A yes/no compliance checklist is not a risk assessment. OCR expects a systematic analysis of threats, vulnerabilities, likelihood, and impact — not a list of checkboxes.
Limiting scope to the EHR: The SRA must cover all ePHI, not just your primary clinical system. Email, cloud storage, medical devices, and paper-to-digital workflows all fall within scope.
No risk management plan: Identifying risks without documenting a plan to address them fails the risk management standard. This is the most common gap OCR finds.
Failure to involve leadership: The SRA findings must be reviewed and accepted by organizational leadership. A risk assessment conducted by IT alone, without management buy-in, is incomplete.
Automate Your Risk Assessment with Medcurity
This template provides the framework, but conducting a thorough SRA manually is time-consuming and error-prone — especially for small-to-mid-size practices without dedicated compliance staff. Medcurity’s AI-powered SRA platform guides you through every step, automatically generates OCR-ready documentation, and provides ongoing risk management tracking so your assessment stays current year-round.
Organizations using Medcurity complete their initial SRA in a fraction of the time required for manual assessments, with documentation that meets OCR’s expectations from day one.