Security Risk Assessment Guide
Step-by-step instructions for conducting your required annual security risk assessment.
What is a Security Risk Assessment?
A Security Risk Assessment (SRA) is a systematic process to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). Under HIPAA, all covered entities and business associates are required to conduct regular risk assessments.
Why is the SRA Required?
The HIPAA Security Rule specifically requires covered entities to:
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity." — 45 CFR § 164.308(a)(1)(ii)(A)
Failure to conduct an SRA is one of the most common HIPAA violations cited by the Office for Civil Rights (OCR) in enforcement actions.
When Should You Conduct an SRA?
- Initially when implementing HIPAA compliance
- Quarterly for practices with 50+ employees (2026 requirement)
- Annually for smaller practices (minimum requirement)
- When significant changes occur such as:
- New technology implementations
- Changes to facility or operations
- Security incidents or breaches
- Organizational changes
Step-by-Step SRA Process
Step 1: Define the Scope
Before starting your assessment, clearly define what you're assessing:
Identify all ePHI:
- Where is ePHI created, received, stored, or transmitted?
- What systems contain ePHI?
- Who has access to ePHI?
Document your environment:
- Hardware inventory (computers, servers, mobile devices)
- Software applications that handle ePHI
- Network infrastructure
- Physical locations where ePHI is accessed
Step 2: Identify Potential Threats
Threats are potential events that could harm ePHI. Common threats include:
Natural Threats:
- Floods
- Earthquakes
- Severe weather
- Fire
Human Threats (Unintentional):
- Employee errors
- Lost devices
- Improper disposal
- Accidental disclosure
Human Threats (Intentional):
- Hacking/cyber attacks
- Malware/ransomware
- Insider threats
- Social engineering
- Theft
Environmental Threats:
- Power failures
- Hardware failures
- Network outages
- Software bugs
Step 3: Identify Vulnerabilities
Vulnerabilities are weaknesses that could be exploited. Assess vulnerabilities in:
Administrative Areas:
- Lack of written policies
- Insufficient training
- No designated Security Officer
- Missing Business Associate Agreements
Physical Areas:
- Unlocked facilities
- Unattended workstations
- Improper disposal of media
- Lack of visitor controls
Technical Areas:
- Weak passwords
- Unpatched systems
- Lack of encryption
- No firewall protection
- Missing antivirus software
- No audit logging
Step 4: Assess Current Security Measures
Document what safeguards you currently have in place:
- Access controls
- Authentication mechanisms
- Encryption implementations
- Backup procedures
- Incident response plans
- Training programs
- Physical security measures
Step 5: Determine Likelihood of Threat Occurrence
For each threat-vulnerability combination, assess the likelihood:
| Rating | Description |
|---|---|
| High | The threat source is highly motivated and capable, and controls are ineffective |
| Medium | The threat source is motivated and capable, but controls may impede success |
| Low | The threat source lacks motivation or capability, or controls prevent success |
Step 6: Determine Potential Impact
Assess the impact if a threat successfully exploits a vulnerability:
| Rating | Description |
|---|---|
| High | Could result in significant harm, major financial loss, or severe damage to reputation |
| Medium | Could result in moderate harm, financial loss, or damage to reputation |
| Low | Could result in minimal harm, limited financial loss, or minor reputation impact |
Step 7: Calculate Risk Level
Combine likelihood and impact to determine overall risk:
| Likelihood/Impact | High Impact | Medium Impact | Low Impact |
|---|---|---|---|
| High Likelihood | Critical | High | Medium |
| Medium Likelihood | High | Medium | Low |
| Low Likelihood | Medium | Low | Low |
Step 8: Develop Remediation Plan
For each identified risk, determine appropriate action:
Accept: Risk is acceptable given current controls Mitigate: Implement additional controls to reduce risk Transfer: Use insurance or third parties to share risk Avoid: Eliminate the activity creating the risk
Create an action plan with:
- Specific remediation steps
- Responsible parties
- Target completion dates
- Resource requirements
Step 9: Document Everything
Your SRA documentation should include:
- Scope definition - What was assessed
- Methodology - How the assessment was conducted
- Findings - Identified threats, vulnerabilities, and risks
- Risk ratings - Likelihood, impact, and overall risk
- Current controls - Existing safeguards
- Recommendations - Proposed remediation actions
- Action plan - Timeline and responsibilities
- Sign-off - Management approval
Common SRA Mistakes to Avoid
- Not documenting the process - OCR needs to see evidence
- Only focusing on technical risks - Include administrative and physical
- Not involving key stakeholders - Get input from across the organization
- Treating it as a one-time event - Risk assessment is ongoing
- Not following up on findings - Implement your remediation plan
- Using generic templates without customization - Tailor to your environment
Tools and Resources
HHS Security Risk Assessment Tool: The Office for Civil Rights provides a free downloadable SRA tool at healthit.gov.
HIPAA Agent: Automates the SRA process with AI-guided questions, automatic documentation, and remediation tracking.
After the Assessment
Once complete, your SRA should drive:
- Policy updates
- Training improvements
- Technology investments
- Procedure modifications
- Ongoing monitoring
Remember: The SRA is not just a compliance checkbox—it's a critical tool for actually protecting your patients' information and your practice.
Ready to Automate Your Compliance?
HIPAA Agent handles all of this for you automatically.
Deploy Your Agent