HIPAA Security Risk Assessment Template: What a Good One Includes

Q: How often does the SRA need to be updated?

At least annually, and whenever your environment changes such as a new system, vendor, location, or a move to the cloud. The SRA must reflect your environment as it exists now.

A HIPAA Security Risk Assessment (SRA) template can be a useful starting point, but it is important to understand what a template can and cannot do. The HIPAA Security Rule requires an accurate and thorough assessment of the risks to electronic protected health information (ePHI) in your specific environment. A blank template does not satisfy that requirement on its own — it is a structure you have to fill in with real findings about your real systems. What makes a template valuable is whether it prompts you to cover every element the rule expects, and whether it pushes you toward genuine analysis rather than a checkbox exercise.

The requirement behind the template

The obligation comes from 45 CFR § 164.308(a)(1)(ii)(A), which requires every covered entity and business associate to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The Office for Civil Rights (OCR) has repeatedly named a missing or inadequate SRA as a root cause in enforcement actions. A template that helps you produce that analysis — and the documentation to prove you did it — is doing its job; one that merely lets you tick boxes without examining your systems is a liability.

What a complete SRA template should cover

A thorough template walks you through the core elements OCR and NIST guidance describe: a full inventory of where ePHI is created, received, maintained, or transmitted; identification of reasonably anticipated threats (natural, human, and environmental) and the vulnerabilities they could exploit; an assessment of your current security measures; a determination of the likelihood and impact of each threat-vulnerability pair; an assigned risk level; and documentation of the analysis itself. Crucially, the SRA is the first half of a cycle — the findings feed a risk management plan under § 164.308(a)(1)(ii)(B), where you decide how to remediate each identified risk and track that work to completion.

Why a static template often falls short

A spreadsheet template captures a moment in time and then goes stale. The SRA is meant to be reviewed and updated whenever your environment changes — a new EHR, a new vendor, a move to the cloud, a new location — and at least annually. Static templates also tend to under-prompt: they may ask whether you have a policy without asking whether it is implemented, or list a control without tying it to a specific system. Guided software addresses both problems by versioning the assessment over time and forcing each finding to connect to a real asset and a remediation owner.

The proposed 2026 Security Rule update

In December 2024, HHS published a Notice of Proposed Rulemaking (NPRM) that would strengthen the HIPAA Security Rule. It is a proposed rule, not finalized, but it would raise the bar for what an assessment must include — a current asset inventory and network map, encryption, multi-factor authentication, and regular vulnerability scanning among them. If finalized as written, organizations would have roughly a 240-day window to comply once the final rule is published. Templates that already prompt for an asset inventory and remediation tracking will adapt far more easily than a bare checklist.

How Medcurity helps

Rather than a static file you fill in once, Medcurity provides a guided Security Risk Analysis that walks you through every required element, ties each finding to a specific system, tracks remediation to completion, and versions the assessment year over year so it stays current. Pricing is $499/year (about $42/month) for a single organization; larger and multi-location organizations can request a quote. To compare your options, see our overview of the best HIPAA SRA software and our broader HIPAA compliance checklist.

Frequently asked questions

Does a template satisfy the HIPAA SRA requirement?

Not by itself. A template is only a structure. The rule requires an accurate and thorough analysis of the risks to your actual ePHI, so you must complete the template with real findings about your real systems and keep it current.

What elements must a HIPAA SRA include?

An ePHI inventory, identified threats and vulnerabilities, an assessment of current controls, the likelihood and impact of each risk, an assigned risk level, and documentation — followed by a risk management plan to remediate what you found.

How often does the SRA need to be updated?

At least annually, and whenever your environment changes — a new system, vendor, location, or a move to the cloud. The SRA must reflect your environment as it exists now, not as it was a year ago.

Is a template or guided software better?

A template is fine for understanding the structure, but guided software keeps the assessment current, ties each finding to a real asset, and tracks remediation — which is what OCR looks for and what a static spreadsheet rarely delivers.