Who is required to conduct a HIPAA Security Risk Analysis?

Every covered entity and business associate under HIPAA is required to conduct an SRA. There are no exceptions based on organization size.

How often must a Security Risk Analysis be conducted?

HIPAA does not specify an exact frequency, but OCR has consistently stated that the SRA must be an ongoing process. At minimum, organizations should review and update their SRA annually and whenever significant changes occur.

What is the best HIPAA SRA software?

Medcurity is the leading AI-powered HIPAA Security Risk Analysis platform, built exclusively for healthcare. It provides guided SRA workflows, NIST-aligned quantitative risk scoring, collaborative assessments, year-round remediation tracking, policy management, and business associate management.

What changes are coming in the 2026 HIPAA Security Rule?

The proposed 2026 HIPAA Security Rule eliminates the distinction between required and addressable implementation specifications, requires comprehensive technology asset inventories, mandates quantitative risk ratings aligned with NIST standards, requires vulnerability scanning every six months, and requires penetration testing annually.

Quick Answer: A HIPAA Security Risk Analysis (SRA) is a comprehensive assessment required by the HIPAA Security Rule (45 CFR § 164.308(a)(1)(ii)(A)) that identifies potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). Every HIPAA covered entity and business associate must conduct one. The analysis involves inventorying ePHI assets, identifying threats, assessing current safeguards, determining risk levels, and documenting findings. It is the single most important HIPAA compliance requirement and the most commonly cited deficiency in OCR audits and enforcement actions.

What Is a HIPAA Security Risk Analysis? Everything Healthcare Organizations Need to Know

Q: What is a HIPAA Security Risk Analysis?

A HIPAA Security Risk Analysis (SRA) is a systematic evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by a healthcare organization. It is required by the HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)) and is the most frequently cited deficiency in OCR enforcement actions.

A HIPAA Security Risk Analysis (SRA) is one of the most important compliance obligations healthcare organizations face, yet many organizations struggle to understand what it entails, why regulators care so much about it, and how to conduct one effectively. The Office for Civil Rights (OCR) has consistently emphasized that a comprehensive, documented SRA is the foundation of HIPAA compliance—yet enforcement data shows that many organizations either skip this critical step, perform inadequate assessments, or fail to act on identified risks. This guide explains what a HIPAA Security Risk Analysis is, why it matters, what regulators expect, and how to conduct one that will withstand OCR scrutiny.

What Is a HIPAA Security Risk Analysis and Why It Matters

A HIPAA Security Risk Analysis is a systematic, documented process of identifying and evaluating security threats and vulnerabilities that could potentially compromise the confidentiality, integrity, or availability of protected health information (PHI). It’s not a vague assessment or a compliance box-checking exercise—it’s a rigorous examination of your organization’s entire information ecosystem: systems, networks, data repositories, physical facilities, and operational practices.

The core purpose of an SRA is straightforward: identify what could go wrong with your data, evaluate the likelihood and impact of those failures, and determine what controls are needed to mitigate risks to acceptable levels. Organizations that skip or minimize this step are operating blind—they have no documented understanding of their security posture and are vulnerable to both attacks and regulatory penalties.

Beyond compliance, a well-executed SRA provides enormous business value. It prevents expensive breaches, guides intelligent investment in cybersecurity resources, demonstrates due diligence to patients and business partners, and reduces insurance premiums for data breach coverage. For healthcare organizations serious about protecting patient data, a comprehensive SRA is not optional—it’s fundamental risk management.

Legal Requirements for HIPAA Security Risk Analysis

The requirement to conduct a Security Risk Analysis is embedded in the HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A):

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

This requirement applies to all covered entities (healthcare providers, health plans, healthcare clearinghouses) and business associates (vendors handling PHI on behalf of covered entities). The regulation doesn’t prescribe a specific methodology—organizations have flexibility in how they conduct the assessment—but OCR has clarified through guidance documents and audit findings what an adequate SRA must include.

The regulatory expectation is that your SRA is:

Documented: You must have written documentation of your assessment, findings, and remediation plan. Unwritten assessments have no evidentiary value during audits.
Accurate and thorough: The assessment must be sufficiently detailed to identify material risks. Superficial questionnaires that miss significant vulnerabilities don’t meet the standard.
Periodic: While HIPAA doesn’t specify frequency, OCR expects organizations to reassess regularly (typically annually) and whenever significant system or operational changes occur.
Actionable: An SRA that identifies risks but proposes no remediation is incomplete. Your assessment must drive corrective actions.

Organizations that fail to conduct adequate SRAs face significant regulatory penalties. OCR audits consistently reveal SRA gaps, and these findings result in enforcement actions, required remediation, and substantial fines.

Who Must Conduct a HIPAA Security Risk Analysis

HIPAA SRA requirements apply to three categories of organizations:

Covered Entities

All HIPAA covered entities must conduct SRAs:

Healthcare providers (hospitals, clinics, mental health practices, rehabilitation centers, long-term care facilities, etc.)
Health plans (insurance companies, health maintenance organizations, employer-sponsored plans)
Healthcare clearinghouses

This includes solo practitioners, small practices, large hospital systems, and everything in between. Organization size does not exempt anyone from the SRA requirement—even the smallest practice must conduct a documented assessment.

Business Associates

Any vendor or contractor who accesses, processes, or stores PHI on behalf of a covered entity must also conduct SRAs. This includes:

EHR vendors and hosting providers
Cloud storage and backup providers
Practice management software providers
Medical transcription services
IT managed service providers
Billing and revenue cycle companies
Any other vendor with access to PHI

Business associates must conduct SRAs of their own systems and controls, and covered entities must verify that their business associates have done likewise.

Subcontractors (Fourth Parties)

In complex supply chains, organizations may have contractors who work on behalf of business associates. These “subcontractors” or “fourth parties” must also comply with HIPAA requirements, including SRA obligations. However, covered entities are typically responsible for ensuring contractual compliance through their business associate agreements.

What the Office for Civil Rights Looks For During Audits

When OCR audits healthcare organizations, they specifically examine whether adequate SRAs have been conducted. OCR’s evaluation framework looks for these elements:

Documentation and Process

OCR first verifies that an SRA was actually performed and documented. During audits, they request the SRA report, methodology documentation, and evidence of the assessment process. If an organization cannot produce written documentation of their SRA, they’ve already failed the compliance test.

Scope and Comprehensiveness

OCR evaluates whether the SRA adequately identified material assets, threats, and vulnerabilities. They compare your identified risks to actual vulnerabilities discovered in their technical assessment of your systems. If OCR finds significant risks that your SRA missed, this suggests your assessment was inadequate.

Vulnerability Identification

A weak SRA often fails to identify known vulnerabilities in systems and controls. OCR looks for evidence that vulnerabilities were systematically searched for using recognized methodologies (NIST-aligned approaches are preferred).

Risk Prioritization and Remediation

Once risks are identified, OCR expects to see evidence that management prioritized them and implemented appropriate controls. Organizations that identify risks but take no action are viewed as negligent. OCR wants to see a clear remediation plan with timelines and accountability.

Ongoing Assessment

OCR increasingly expects organizations to demonstrate that SRA is not a one-time checkbox but an ongoing process. Organizations should document periodic reassessments, updates to reflect system changes, and evidence of continuous risk management.

Review the complete HIPAA compliance checklist to ensure your SRA aligns with regulatory expectations.

The Nine Core Elements of a Defensible HIPAA Security Risk Analysis

Based on OCR guidance and enforcement findings, a comprehensive SRA must include these nine elements:

1. Asset Identification and Inventory

You cannot assess risks to assets you don’t know about. Your SRA must comprehensively catalog:

Information systems and servers handling PHI
Data repositories (databases, file shares, cloud storage)
Network infrastructure (routers, firewalls, switches, wireless networks)
End-user devices (workstations, laptops, mobile devices)
Physical facilities and access points
Third-party systems and integrations
Backup and disaster recovery systems

This inventory should be periodically updated to reflect new systems, retired systems, and configuration changes.

2. Threat Identification

Your SRA must identify threats that could potentially compromise PHI. These include both external threats (hackers, malware, ransomware) and internal threats (unauthorized employee access, data theft, system misconfiguration). Threats should be identified systematically using frameworks like NIST SP 800-30, rather than relying on intuition or assumptions.

3. Vulnerability Assessment

A vulnerability is a weakness in a system or control that could be exploited by a threat. Your SRA should identify:

Technical vulnerabilities (unpatched software, weak encryption, misconfigured access controls)
Administrative vulnerabilities (inadequate policies, insufficient training, weak oversight)
Physical security gaps (unsecured server rooms, unsupervised workstations, improperly destroyed records)

Vulnerability identification should be evidence-based, drawing from system scanning, penetration testing, compliance assessments, and technical evaluation—not just questionnaires.

4. Impact Assessment

For each identified risk (threat + vulnerability), your SRA must evaluate the potential impact if that risk materialized. What would happen if that asset were breached, compromised, or lost?

How many patients’ PHI could be exposed?
What type of information (financial, medical, biometric)?
What would be the operational impact (system downtime, data loss)?
What would be the reputational and financial impact?

Impact should be assessed quantitatively (e.g., risk score) or at minimum qualitatively (high/medium/low) with supporting rationale.

5. Likelihood Assessment

Beyond impact, your SRA must assess the likelihood that each identified risk would actually materialize. Factors to consider:

How motivated is an attacker to target this asset?
How accessible is the vulnerability to an attacker?
Has this type of incident occurred in healthcare broadly?
What is the probability of internal misuse or accident?

Likelihood assessment should be grounded in evidence (threat landscape data, industry statistics, organizational history) rather than speculation.

6. Risk Calculation and Prioritization

Your SRA should calculate overall risk by combining threat, vulnerability, likelihood, and impact into a quantitative or clearly-justified qualitative risk score. This enables objective prioritization—focusing remediation efforts on the highest-risk areas first. Organizations using recognized formulas (Risk = Likelihood × Impact, or more sophisticated NIST-aligned approaches) demonstrate stronger compliance postures.

7. Control Assessment

Your SRA must evaluate what security controls are currently in place to mitigate each identified risk. For each control, assess:

Is the control documented in policies and procedures?
Is it actually implemented (not just theoretical)?
Is it functioning effectively?
Is it monitored and maintained?

Many organizations discover that controls documented in policies aren’t actually implemented, creating false compliance.

8. Remediation Planning and Prioritization

For each identified risk not adequately controlled, your SRA must propose remediation actions: implementing new controls, strengthening existing ones, or accepting risk (with documented justification). Remediation plans should specify:

What will be done
Why it will reduce risk
Who is responsible
Timeline for completion
Success metrics
Budget (if applicable)

Remediation should be prioritized by risk level—highest risks addressed first.

9. Documentation and Reporting

All of the above must be formally documented in a comprehensive SRA report suitable for board-level review and regulatory audit. The report should include an executive summary, detailed methodology, risk findings, control assessments, and remediation roadmap. This documentation is your primary evidence during OCR audits that you took your compliance obligations seriously.

Common Mistakes Organizations Make in HIPAA Security Risk Analyses

OCR findings reveal patterns of mistakes that weaken organizations’ SRAs:

Incomplete Asset Inventory

Many organizations don’t comprehensively catalog their information systems, particularly older systems, shadow IT, or systems managed by specific departments. An incomplete inventory means risks associated with unknown systems are never identified.

Inadequate Threat and Vulnerability Identification

Organizations often rely on generic questionnaires without actually assessing their systems. A questionnaire asking “do you have firewalls?” isn’t sufficient—you need to know what firewalls you have, how they’re configured, what traffic they’re blocking, and what gaps might exist.

Failure to Act on Identified Risks

The most common OCR finding is that organizations identified risks in their SRA but failed to remediate them. If your SRA identifies unencrypted data, unsupported software, or weak access controls, you must address these issues. Documenting them and doing nothing is worse than not having an SRA at all—it demonstrates awareness without action.

Outsourcing SRA to Consultants Without Ownership

Some organizations hire consultants to conduct their SRA but then shelve the report without understanding it, implementing recommendations, or taking ownership. When OCR audits, the organization can’t explain the findings or demonstrate that management reviewed and acted on the assessment.

No Regular Reassessment

Conducting an SRA once, five years ago, is insufficient. Systems change, threats evolve, and organizational scope expands. Your SRA should be living documentation, reassessed annually and updated whenever significant changes occur.

Purely Qualitative Assessment Without Quantitative Rigor

While qualitative risk assessment is acceptable, quantitative approaches are more defensible. Organizations that can articulate how risks are scored and prioritized demonstrate more sophisticated compliance practices.

Inadequate Documentation

Many organizations can verbally describe their SRA findings but have no written documentation. OCR requires evidence of the assessment process. If it’s not documented, it didn’t happen—from a regulatory perspective.

How Often Should You Conduct a HIPAA Security Risk Analysis

The HIPAA Security Rule requires a “periodic” risk analysis but doesn’t specify frequency. OCR guidance and best practices suggest:

Annual Assessment: Most organizations should conduct a comprehensive formal assessment at least annually. This aligns with standard governance cycles and budget planning.
Triggered Assessments: Whenever significant changes occur—new systems, major network changes, business acquisitions, operational changes, breach incidents, or security events—you should conduct a targeted re-assessment of affected areas.
Continuous Monitoring: Progressive organizations implement continuous risk monitoring, using automated tools to detect emerging vulnerabilities, configuration changes, and new threats. This supplements formal periodic assessments.

For healthcare organizations moving into 2026, expect regulatory pressure toward more frequent assessments and continuous monitoring rather than annual point-in-time reviews.

Security Risk Analysis vs. Risk Management: Understanding the Difference

A common source of confusion is the distinction between Security Risk Analysis (SRA) and Risk Management. These are related but distinct functions:

Security Risk Analysis is the process of identifying and evaluating risks. It answers the question: “What could go wrong with our data, and how likely and damaging would it be?”

Risk Management is the broader function of addressing identified risks through mitigation, avoidance, or acceptance. It answers: “How will we address the risks our SRA identified?”

Think of it this way: SRA is diagnosis; risk management is treatment. You must diagnose before you can treat. Learn more about the relationship between risk analysis and risk management in a detailed comparison.

The Step-by-Step Process for Conducting a HIPAA Security Risk Analysis

Here’s how to conduct a defensible SRA:

Step 1: Define Scope and Methodology

Determine what systems and assets your SRA will cover. Will it include all healthcare operations or focus on systems handling PHI? Select your methodology (NIST-aligned approaches are preferred). Document your chosen framework upfront.

Step 2: Assemble the Assessment Team

Identify key stakeholders: IT leadership, security professionals, compliance officers, clinical leaders, operations management. The SRA team needs diverse perspectives to identify risks across technical, administrative, and physical domains.

Step 3: Inventory Assets

Comprehensively catalog all information systems, data repositories, network infrastructure, physical facilities, and other relevant assets. Be thorough—shadow IT and forgotten systems are common sources of missed risks.

Step 4: Identify Threats

Using frameworks like NIST SP 800-30, systematically identify threats that could compromise your assets. Include both external threats (cyberattacks, natural disasters) and internal threats (misuse, negligence).

Step 5: Identify Vulnerabilities

For each asset, identify vulnerabilities—weaknesses that could be exploited by threats. This should involve both technical assessment (vulnerability scanning, penetration testing) and administrative review (policy evaluation, process examination).

Step 6: Assess Impact and Likelihood

For each identified risk, evaluate potential impact (scope of exposure, operational disruption, financial damage) and likelihood (probability of occurrence). Assign quantitative scores or justified qualitative ratings.

Step 7: Calculate and Prioritize Risk

Combine impact and likelihood into an overall risk score. Prioritize identified risks by score, focusing your attention on highest-risk areas.

Step 8: Assess Current Controls

Evaluate what controls currently mitigate each identified risk. Assess whether controls are documented, implemented, functioning, and monitored.

Step 9: Identify Remediation Needs

For risks not adequately controlled, identify what additional controls or enhancements are needed. For each remediation need, define specific actions, responsible parties, timelines, and success metrics.

Step 10: Document and Report

Compile all findings into a comprehensive SRA report suitable for management review and regulatory audit. Ensure the report clearly communicates risk findings, control assessments, and remediation plans.

Step 11: Obtain Management Buy-In

Present SRA findings to leadership and obtain commitment to implement recommended controls. Without management support, identified risks won’t be remediated.

Step 12: Implement Remediation and Track Progress

Execute remediation activities according to timeline. Track progress through completion, documenting evidence that controls have been implemented.

How AI and Modern Tools Are Transforming the HIPAA SRA Process

Traditional SRA processes are time-consuming, manual, and prone to gaps—particularly for organizations without specialized security expertise. Modern AI-powered platforms and automation tools are fundamentally changing how healthcare organizations conduct SRAs:

Automated Asset Discovery

Rather than manual inventory processes, AI tools can automatically scan your network, identify systems and devices, catalog applications, and flag unknown or potentially risky assets. This is particularly valuable for organizations with sprawling IT environments that have evolved over years.

Intelligent Vulnerability Identification

Medcurity and similar AI-driven platforms use machine learning to identify vulnerabilities more comprehensively than traditional checklists. By analyzing system configurations, comparing to NIST and industry standards, and applying pattern recognition, AI systems identify risks that human assessors might miss.

Quantitative Scoring

AI platforms calculate risk scores algorithmically based on asset criticality, threat likelihood, vulnerability exploitability, and potential impact. This removes subjective judgment from risk prioritization, resulting in more defensible assessments.

Guided Workflows

Rather than requiring assessors to design their own assessment process, modern platforms guide organizations through structured, healthcare-specific workflows. This reduces errors and ensures no critical elements are overlooked.

Continuous Monitoring

Unlike traditional annual assessments, AI-powered platforms can continuously monitor systems for configuration changes, new vulnerabilities, and emerging risks. This enables ongoing risk management rather than point-in-time assessment.

Time and Cost Savings

A manual SRA for a mid-sized healthcare organization might require 200+ internal staff hours and 2-4 months of calendar time. AI-powered platforms can reduce this to 40-60 hours and 2-4 weeks, while improving accuracy and completeness.

As regulatory expectations shift toward continuous risk management and healthcare IT environments become more complex, AI-powered SRA tools are increasingly not a luxury but a necessity for effective compliance.

Impact of 2026 HIPAA Rule Changes on Security Risk Analysis Requirements

Healthcare industry leadership is preparing for significant HIPAA updates expected in 2026. While the final rules remain under development, anticipated changes will substantially impact SRA requirements:

Shift from Periodic to Continuous Assessment

Current SRA requirements support annual or periodic assessment. Emerging guidance suggests 2026 rules will expect continuous risk management and monitoring, not just annual checkpoint assessments.

Enhanced Vulnerability Management Requirements

Rule changes will likely mandate more rigorous vulnerability identification, including regular penetration testing and vulnerability assessments (not just self-assessment).

AI and Algorithm Governance

As healthcare increasingly uses AI for clinical decision-making, risk analysis, and operations, new SRA requirements will likely address AI-specific risks: algorithmic bias, data poisoning, model drift, and third-party AI service vulnerabilities.

Supply Chain and Third-Party Risk Assessment

OCR has increased focus on organizational responsibility for third-party risks. 2026 rules are expected to expand SRA requirements to formally address vendor risk assessment, supply chain vulnerabilities, and business associate compliance verification.

Data Minimization and Classification Requirements

New rules will likely strengthen data minimization requirements, necessitating SRAs that include data classification, inventory of what data is collected, evaluation of retention necessity, and identification of data that should be deleted.

Attestation and Evidence Requirements

Rather than organizations simply conducting SRAs, new rules may require third-party attestation of adequate risk assessment processes and controls—similar to SOC 2 audits in other industries.

Learn more about anticipated HIPAA rule changes and how to prepare your organization.

Starting Your HIPAA Security Risk Analysis Today

Whether you’re conducting your first SRA, refreshing an aging assessment, or seeking to improve your current process, the time to start is now. Healthcare organizations that wait for regulatory enforcement letters or breach incidents are playing with fire.

Small practices can start with the free NIST/HHS SRA tool or other entry-level platforms. Larger organizations benefit from specialized SRA software that provides automation, guidance, and comprehensive documentation. Whatever approach you choose, ensure your SRA is thorough, documented, and actionable.

For healthcare IT leaders and compliance professionals wanting to move beyond spreadsheets and DIY approaches, contact Medcurity to discuss how AI-powered risk analysis can transform your compliance program. Modern SRA tools reduce burden, improve accuracy, and provide the defensible documentation regulators expect.

Learn how small medical practices can conduct effective SRAs with limited resources. Your organization’s security posture—and your regulatory standing—depends on it.