HIPAA Security Risk Assessments: What They Are and Why They Matter

Last updated: November 2025

A HIPAA Security Risk Assessment is a structured review of how your organization creates, receives, maintains, and transmits electronic protected health information (ePHI), and where that information is at risk. Under the HIPAA Security Rule, covered entities and business associates are required to conduct an accurate and thorough risk analysis and manage those risks to a reasonable and appropriate level.

The Office for Civil Rights (OCR) at the US Department of Health and Human Services has launched specific enforcement initiatives focused on risk analysis and has announced multiple Resolution Agreements where failure to perform a meaningful Security Risk Assessment was a central finding.

So yes, Security Risk Assessments are required. But if you stop at “it is required,” you miss the real value.

Done well, a Security Risk Assessment is one of the best planning tools you have. It helps you understand how your organization actually works, how much risk you are carrying, and where to focus limited time and budget.

What is a HIPAA Security Risk Assessment?

A HIPAA Security Risk Assessment (also called a Security Risk Analysis or SRA ) is a structured way to answer a few important questions:

• Where does ePHI live in our organization?

• How does it move between people, systems, locations, and vendors?

• What could realistically go wrong, and how serious would that be?

• What safeguards do we already have in place?

• Where are the biggest gaps between our current risk and our risk tolerance?

  
  

The HIPAA Security Rule calls this the risk analysis implementation specification at 45 CFR 164.308(a)(1)(ii)(A). It does not prescribe a single template or tool. Instead, it expects an accurate and thorough analysis that fits the size, complexity, and capabilities of the covered entity or business associate.

A solo therapy practice, a community health clinic, and a multi-hospital system will all answer these questions differently. The Security Risk Assessment gives each of them a clear, documented picture to work from.

Why do regulators focus on Security Risk Assessments?

Security Risk Assessments have been part of HIPAA for a long time. What has changed is how often they appear at the center of enforcement.

Recent OCR press releases and Resolution Agreements describe:

• A Risk Analysis Initiative that focuses investigations on whether entities conducted an accurate and thorough risk analysis under the HIPAA Security Rule. [1]

• Settlements where OCR found that the organization either never performed an enterprise-wide risk analysis, or treated it as a one-time exercise that was never updated as systems and services changed.

• Corrective action plans that require organizations to perform, document, and maintain comprehensive risk analyses and then manage those risks going forward.

Legal and industry analysis of OCR activity tells the same story from another angle. When you look across settlements, you see different types of breaches and different kinds of entities, but the same core issue: failure to conduct and maintain a thorough, enterprise-wide Security Risk Assessment consistent with the Security Rule.

From OCR’s perspective, this makes sense. You cannot reasonably protect ePHI if you do not know where it lives, how it moves, and how it can be exposed.

What does a good Security Risk Assessment teach you?

Compliance is the minimum. The real payoff from a Security Risk Assessment is insight.

A good assessment will teach you things about your organization that you cannot get from policies or system diagrams alone.

Where your sensitive data really lives

Most organizations can name their electronic health record and a few major systems. A thorough assessment looks beyond that, including:

• Patient portals and secure messaging tools

• Telehealth platforms and remote care solutions

• Billing systems and clearinghouses

• Cloud storage, shared drives, and collaboration tools

• Email systems, laptops, tablets, and staff mobile devices

• Third-party apps and vendors that create or receive ePHI on your behalf

This often surfaces “shadow” systems and informal workflows that never made it into formal documentation or previous HIPAA work.

Which systems and workflows carry the most risk

Not every system poses the same level of risk.

A Security Risk Assessment helps you see:

• Where a single system outage could disrupt care

• Where weak access controls, shared accounts, or unmanaged devices create opportunities for misuse

• Where manual workarounds, like printing or texting screenshots, bypass your intended safeguards

These are the areas where a realistic threat could cause real harm to patients, operations, or your reputation.

How well your safeguards work in real life

Policies, procedures, and technical controls only matter if they match reality.

A good assessment looks at:

• Whether staff follow written policies in their day-to-day work

• Whether technical safeguards are configured the way leadership believes they are

• Whether vendors are doing what their contracts say they will do with your data

This is often where organizations discover a gap between “what we think is happening” and “what is actually happening.”

What “reasonable” looks like for your risk tolerance

There is no single standard that fits every healthcare organization.

Risk tolerance depends on factors like:

• Financial resources

• Clinical priorities

• Technology roadmap

• Culture and appetite for change

A Security Risk Assessment lays out your options in a structured way:

• Here are the highest risks we found

• Here are realistic ways to reduce those risks

• Here is the likely impact on cost, operations, and patient experience

You then have a clear basis for deciding which risks to address now, which to schedule for later, and which to accept.

How do you turn Security Risk Assessment findings into a practical roadmap?

A long list of findings is not helpful by itself. The value comes from turning those findings into a roadmap that your organization can actually follow.

That usually looks like this:

1. Prioritize the top few risks by likelihood and impact.

2. Map each of those risks to one or two concrete action items.

3. Assign owners and timelines that match your capacity.

4. Document where you are accepting risk and why.

   
   

For example, your roadmap might include:

• Retiring a legacy system that is too expensive to secure

• Tightening user access and audit logging in your core systems

• Strengthening email security and workforce training to reduce phishing risk

• Updating vendor contracts and questionnaires for any business associate that handles ePHI

You do not have to fix everything at once. The goal is steady, visible progress in the areas that matter most.

How do Security Risk Assessments support healthcare leaders?

From a leadership perspective, a Security Risk Assessment offers more than a compliance checkbox.

It gives leaders:

• A shared picture of where data lives and how it is protected

• A way to connect security decisions to business and clinical priorities

• A documented basis for choices about technology, vendors, and budget

• A solid foundation and a practical starting point for long-term improvement

Most importantly, it gives everyone involved a clearer sense of where they stand. That alone can provide real peace of mind for executives, clinical leaders, and boards.

HIPAA Security Risk Assessment FAQ

1. How often should we do a HIPAA Security Risk Assessment?

Currently, HIPAA does not specify an exact frequency. OCR expects risk analysis to be an ongoing process that is updated when there are significant changes, such as new systems, locations, or services. Many organizations treat it as an annual process and revisit it sooner when major changes occur. The 2025 proposed Security Rule changes would (if finalized) require annual compliance.

2. Is a checklist or automated tool enough for a Security Risk Assessment?

Checklists and automated tools can be helpful, especially for smaller practices, but they are not enough by themselves. A compliant Security Risk Assessment needs to be accurate and thorough, aligned with the HIPAA Security Rule, and tailored to your specific environment, not just a generic list of questions.

3. Do we have to fix every single risk we find?

No organization can eliminate every risk. The goal is to understand your risks and implement reasonable and appropriate safeguards. You should document which risks you are addressing now, which ones you plan to address later, and which ones you are accepting, along with the reasons for those decisions.

4. What happens if we do not have a current Security Risk Assessment?

If you do not have a current, documented Security Risk Assessment, you are exposed on two levels. First, OCR has repeatedly cited failure to conduct an adequate risk analysis as a core violation in enforcement actions and settlements. Second, without a clear view of your risk, it is much harder to prioritize safeguards, defend your decisions, or respond effectively when an incident happens.

About Sorticulture Systems

Sorticulture Systems is a data security consulting firm based in Washington that helps independent healthcare organizations build practical HIPAA compliance programs. That includes Security Risk Assessments, risk management planning, and hands-on support to turn regulatory requirements into everyday practices that protect patients and support care.

This article is for general educational purposes and is not legal advice. For guidance on your specific situation, you should consult legal counsel or a qualified privacy and security professional.

References:

HHS Office for Civil Rights, “HHS’ Office for Civil Rights Settles HIPAA Security Rule Investigation with Health Fitness Corporation” (describing the fifth enforcement action under OCR’s Risk Analysis Initiative and emphasizing the risk analysis requirement).

• Press release: https://www.hhs.gov/press-room/ocr-settles-hipaa-security-rule-investigation-health-fitness-corporation.htm

HHS Office for Civil Rights, “Guidance on Risk Analysis Requirements under the HIPAA Security Rule,” and 45 CFR 164.308(a)(1)(ii)(A) (risk analysis implementation specification).

• Guidance: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

• Regulation text: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308

HHS OCR Resolution Agreements highlighting risk analysis failures:

• “Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules” (Fresenius Medical Care North America). https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/fmcna/index.html

• “$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis” (University of Washington Medicine). https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/university-of-washington-medicine/index.html

Feldesman Leifer LLP, “OCR’s New Security Risk Analysis Initiative Results in Seven Enforcement Actions in First Six Months” (summarizing the Risk Analysis Initiative and seven enforcement actions, and noting that failure to perform an adequate security risk analysis has long been a top OCR finding).

• Article: https://www.feldesman.com/ocrs-new-security-risk-analysis-initiative-results-in-seven-enforcement-actions-in-first-six-months/

Ogletree Deakins / JD Supra, “2025 Enforcement Trends: Risk Analysis Failures at the Center of HHS’s Multimillion-Dollar HIPAA Penalties” (reviewing ten 2025 resolution agreements and highlighting enterprise-wide risk analysis failures as a common theme).

• JD Supra version: https://www.jdsupra.com/legalnews/2025-enforcement-trends-risk-analysis-5857384/