Security Risk Assessment Guide
Step-by-step instructions for conducting your required annual security risk assessment.
What is a Security Risk Assessment?
A Security Risk Assessment (SRA) is a systematic process to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). Under HIPAA, all covered entities and business associates are required to conduct regular risk assessments.
Why is the SRA Required?
The HIPAA Security Rule specifically requires covered entities to:
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity." — 45 CFR § 164.308(a)(1)(ii)(A)
Failure to conduct an SRA is one of the most common HIPAA violations cited by the Office for Civil Rights (OCR) in enforcement actions.
When Should You Conduct an SRA?
- Initially when implementing HIPAA compliance
- Quarterly for practices with 50+ employees (2026 requirement)
- Annually for smaller practices (minimum requirement)
- When significant changes occur such as:
- New technology implementations
- Changes to facility or operations
- Security incidents or breaches
- Organizational changes
Step-by-Step SRA Process
Step 1: Define the Scope
Before starting your assessment, clearly define what you're assessing:
Identify all ePHI:
- Where is ePHI created, received, stored, or transmitted?
- What systems contain ePHI?
- Who has access to ePHI?
Document your environment:
- Hardware inventory (computers, servers, mobile devices)
- Software applications that handle ePHI
- Network infrastructure
- Physical locations where ePHI is accessed
Step 2: Identify Potential Threats
Threats are potential events that could harm ePHI. Common threats include:
Natural Threats:
- Floods
- Earthquakes
- Severe weather
- Fire
Human Threats (Unintentional):
- Employee errors
- Lost devices
- Improper disposal
- Accidental disclosure
Human Threats (Intentional):
- Hacking/cyber attacks
- Malware/ransomware
- Insider threats
- Social engineering
- Theft
Environmental Threats:
- Power failures
- Hardware failures
- Network outages
- Software bugs
Step 3: Identify Vulnerabilities
Vulnerabilities are weaknesses that could be exploited. Assess vulnerabilities in:
Administrative Areas:
- Lack of written policies
- Insufficient training
- No designated Security Officer
- Missing Business Associate Agreements
Physical Areas:
- Unlocked facilities
- Unattended workstations
- Improper disposal of media
- Lack of visitor controls
Technical Areas:
- Weak passwords
- Unpatched systems
- Lack of encryption
- No firewall protection
- Missing antivirus software
- No audit logging
Step 4: Assess Current Security Measures
Document what safeguards you currently have in place:
- Access controls
- Authentication mechanisms
- Encryption implementations
- Backup procedures
- Incident response plans
- Training programs
- Physical security measures
Step 5: Determine Likelihood of Threat Occurrence
For each threat-vulnerability combination, assess the likelihood:
| Rating | Description |
|---|---|
| High | The threat source is highly motivated and capable, and controls are ineffective |
| Medium | The threat source is motivated and capable, but controls may impede success |
| Low | The threat source lacks motivation or capability, or controls prevent success |
Step 6: Determine Potential Impact
Assess the impact if a threat successfully exploits a vulnerability:
| Rating | Description |
|---|---|
| High | Could result in significant harm, major financial loss, or severe damage to reputation |
| Medium | Could result in moderate harm, financial loss, or damage to reputation |
| Low | Could result in minimal harm, limited financial loss, or minor reputation impact |
Step 7: Calculate Risk Level
Combine likelihood and impact to determine overall risk:
| Likelihood/Impact | High Impact | Medium Impact | Low Impact |
|---|---|---|---|
| High Likelihood | Critical | High | Medium |
| Medium Likelihood | High | Medium | Low |
| Low Likelihood | Medium | Low | Low |
Step 8: Develop Remediation Plan
For each identified risk, determine appropriate action:
Accept: Risk is acceptable given current controls Mitigate: Implement additional controls to reduce risk Transfer: Use insurance or third parties to share risk Avoid: Eliminate the activity creating the risk
Create an action plan with:
- Specific remediation steps
- Responsible parties
- Target completion dates
- Resource requirements
Step 9: Document Everything
Your SRA documentation should include:
- Scope definition - What was assessed
- Methodology - How the assessment was conducted
- Findings - Identified threats, vulnerabilities, and risks
- Risk ratings - Likelihood, impact, and overall risk
- Current controls - Existing safeguards
- Recommendations - Proposed remediation actions
- Action plan - Timeline and responsibilities
- Sign-off - Management approval
Common SRA Mistakes to Avoid
- Not documenting the process - OCR needs to see evidence
- Only focusing on technical risks - Include administrative and physical
- Not involving key stakeholders - Get input from across the organization
- Treating it as a one-time event - Risk assessment is ongoing
- Not following up on findings - Implement your remediation plan
- Using generic templates without customization - Tailor to your environment
Tools and Resources
HHS Security Risk Assessment Tool: The Office for Civil Rights provides a free downloadable SRA tool at healthit.gov. It walks you through each Security Rule requirement manually, but requires significant time and HIPAA expertise to complete correctly.
HIPAA Agent: Designed specifically for practices that need to complete their SRA without hiring a consultant. HIPAA Agent automates the entire process — AI-guided questions adapted to your practice type, automatic documentation that satisfies OCR requirements, real-time compliance scoring via the HIPAA Agent Compliance Score™, and built-in remediation tracking so nothing falls through the cracks. Most practices complete their full SRA in under an hour instead of the typical 20-40 hours with manual tools. Check your current compliance posture for free or learn more about automated policy generation.
After the Assessment
Once complete, your SRA should drive:
- Policy updates based on identified gaps
- Training improvements targeting workforce vulnerabilities
- Technology investments prioritized by risk severity
- Procedure modifications with assigned owners and deadlines
- Ongoing monitoring to catch new risks as they emerge
The practices that get the most value from their SRA are those that treat it as a living document — reviewing quarterly, updating when systems change, and tracking remediation progress continuously rather than scrambling once a year.
Remember: The SRA is not just a compliance checkbox — it's a critical tool for actually protecting your patients' information and your practice.
How HIPAA Agent Helps with Your Security Risk Assessment
The Security Risk Assessment is the single most important — and most frequently cited — HIPAA compliance requirement. Yet most practices struggle with it because traditional SRA methods require 20-40 hours of manual work and deep HIPAA expertise. HIPAA Agent eliminates this burden entirely. Our SRA process starts with a 27-question guided email interview tailored to your practice type, while our 83-tool external scan and 12-phase internal network assessment automatically gather the technical evidence that typically consumes the majority of SRA time. Together, these automated assessments auto-fill approximately 60% of SRA responses, letting you complete your full annual SRA in under an hour.
Every completed SRA is delivered as an OCR-ready signed PDF covering all five HIPAA safeguard categories: Administrative, Physical, Technical, Organizational, and Policies & Procedures. The document is SHA-256 hashed and blockchain-anchored on Base L2, creating an immutable, timestamped record that proves exactly when your assessment was completed — critical evidence during an OCR investigation. Beyond the assessment itself, HIPAA Agent provides a detailed gap analysis with a prioritized remediation plan, so you know exactly what to fix and in what order.
Key Features
- 27-question guided interview — AI-adapted questions specific to your practice type, delivered via email for maximum convenience
- Automated data collection — 83-tool external scan + 12-phase internal network assessment auto-fill ~60% of responses
- All 5 safeguard categories — Administrative, Physical, Technical, Organizational, and Policies & Procedures fully covered
- OCR-ready signed PDF — formatted to satisfy Office for Civil Rights documentation requirements
- Blockchain-anchored proof — SHA-256 hash anchored on Base L2 provides immutable timestamp of completion
- Gap analysis — detailed findings with risk ratings mapped to specific HIPAA Security Rule sections
- Remediation plan — prioritized action items with assigned owners and recommended timelines
- Annual renewal reminders — never miss your annual SRA deadline again
- Included with Concierge — SRA is part of the Concierge plan at $299/mo billed annually
Stop spending weeks on your Security Risk Assessment. Check your current compliance posture for free at hipaaagent.ai/check or book a consultation to learn how HIPAA Agent can complete your SRA in a fraction of the time.
Ready to Automate Your Compliance?
HIPAA Agent handles all of this for you automatically.