The HIPAA Security Risk Assessment: What It Is and How to Do One

45 CFR § 164.308(a)(1)(ii)(A) requires covered entities to conduct an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." The companion provision at 164.308(a)(1)(ii)(B) requires you to then implement security measures sufficient to reduce those risks to a reasonable and appropriate level.

There is no specific format the SRA must follow, but it must be documented in writing and reviewed periodically (HHS guidance recommends annually, or after any material change in operations).

HHS publishes a free SRA Tool (version 3.6 at the time of writing) that walks through the standard domains. A complete SRA addresses:

1. Administrative safeguards — workforce training, sanction policies, contingency planning
2. Physical safeguards — facility access controls, workstation security, device disposal
3. Technical safeguards — access controls, audit logging, encryption, authentication
4. Organizational requirements — BAAs, group health plan requirements
5. Documentation requirements — written policies and procedures
6. Asset inventory — what systems hold ePHI
7. Threat identification — internal and external threats to those assets
8. Vulnerability identification — weaknesses in your safeguards
9. Risk determination — likelihood and impact of each threat-vulnerability pair

The HHS SRA Tool is built for IT departments. A solo dentist or small group practice opening it for the first time faces a 156-question questionnaire about firewall configurations, audit log retention policies, and BCP/DR plans. Most close the tool and never finish.

This is why the SRA is the #1 most-cited missing document in OCR enforcement actions. The willful-neglect minimum fine starts at $50,000 — multiples of what a compliant SRA would have cost to produce.

For a 1-5 person practice, a defensible SRA is typically 8-15 pages. It documents:

• An inventory of every system that holds ePHI (EHR, imaging, billing software, individual workstations, mobile devices, cloud services)
• The administrative, physical, and technical safeguards currently in place for each
• The specific gaps identified and the planned remediation steps
• The risk rating (critical/high/medium/low) for each gap
• Signed acknowledgment by the Privacy Officer and Security Officer (who in a solo practice is the practitioner)
• A review date and a commitment to annual review

TrackHIPAA's SRA wizard generates this for small practices in about 30 minutes — the questions are scoped to a small-practice context, and the output is the written document OCR expects.