Every healthcare practice knows they're supposed to have a HIPAA Security Risk Assessment. Most believe they do. The problem is that what most practices call a "risk assessment" doesn't come close to what HIPAA actually requires.

A risk assessment isn't a vendor survey. It isn't a checklist you downloaded from a Google search. It isn't the SRA Tool from HHS.gov that someone filled out once in 2019 and filed away. It's a living process — and it's the legal and operational foundation of your entire HIPAA Security Rule compliance program.

Getting this wrong isn't a technicality. It's the most common reason practices end up in OCR resolution agreements, and it's almost always cited alongside whatever the primary incident was.

What HIPAA Actually Requires

The requirement lives at 45 CFR § 164.308(a)(1) — the Administrative Safeguards section of the HIPAA Security Rule. It requires covered entities and business associates to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI the organization creates, receives, maintains, or transmits
  • Implement security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level
  • Document the assessment and the risk management decisions that follow from it
  • Review and update the assessment periodically and in response to environmental or operational changes

Three words in that language matter more than people realize: "all ePHI." Not just your EHR. Not just the systems managed by your IT vendor. Every system, every device, every workflow that creates, receives, maintains, or transmits electronic protected health information.

That means your email. Your cloud storage. Your patient texting platform. Your billing software. Your offsite backup drives. The laptop your billing coordinator takes home. The fax server. All of it.

What Most Practices Actually Have

When we ask a practice to show us their risk assessment, the responses tend to fall into a few categories — none of which survive scrutiny:

  • A PDF they completed once, several years ago, that has never been updated since a new EHR, new staff, or a new cloud system was added
  • A "HIPAA compliant" certification or checklist from their EHR vendor — which covers only that vendor's system, not the practice's overall environment
  • A Word document from a compliance consultant that was generated as a deliverable, signed, and never looked at again
  • An honest admission that they're not actually sure whether they have one

All of these represent the same underlying problem: the risk assessment was treated as a one-time compliance event rather than an ongoing process. HIPAA doesn't allow for that, and OCR's enforcement history makes clear they know the difference.

What a Real Risk Assessment Actually Includes

A proper HIPAA Security Risk Assessment has four substantive components. Each one builds on the last, and all four need to be documented.

// 01 — Inventory of ePHI

The foundation. You cannot assess risk to data you haven't located yet.

  • Where does your practice create, receive, maintain, or transmit ePHI?
  • EHR system and all integrated modules (scheduling, lab results, patient portal)
  • Email — especially if patients communicate clinical information via email
  • Billing platform (clearinghouse connections, remittance data)
  • Patient communication tools (text platforms, appointment reminders)
  • Cloud storage (Google Drive, Dropbox, OneDrive) used by any staff member
  • Portable and mobile devices (laptops, tablets, phones)
  • Printers, scanners, fax servers — these hold data in memory and on hard drives
  • Backup media — local drives, tapes, offsite backups

// 02 — Threat and Vulnerability Identification

For each system holding ePHI: what could go wrong, and what weaknesses exist that could allow it?

  • Threats: ransomware, phishing, insider misuse, lost or stolen devices, unauthorized remote access, vendor breach, natural disaster
  • Vulnerabilities: weak or shared passwords, no multi-factor authentication, unpatched operating systems or software, unencrypted portable devices, overly broad access permissions, no audit logging, staff who haven't received security training
  • Every threat paired with a relevant vulnerability is a risk item that needs to be documented and addressed

// 03 — Likelihood and Impact Analysis

Not all risks are equal. This step produces a documented risk rating for each item.

  • For each threat/vulnerability pair: how likely is this to occur given your current environment?
  • If it did occur: what would the impact be on the confidentiality, integrity, or availability of ePHI?
  • Likelihood × Impact = Risk Level. Document this for each item. OCR wants to see that you thought through the analysis, not just that you listed threats.

// 04 — Risk Management Plan

This is what OCR actually wants to see when they show up.

  • For each identified risk: what safeguard are you implementing to reduce it?
  • Document the decision — even if you decide to accept a risk rather than mitigate it, that decision needs to be documented and justified
  • Assign a responsible person and a timeline for each open item
  • Track completion. Evidence that you identified risks and followed through is the difference between a compliance program and a compliance document

The "Annual Update" Requirement — and What Triggers One Early

HIPAA doesn't use the word "annually." The requirement is "periodically" and "in response to environmental or operational changes." In practice, most compliance professionals recommend a formal review at least once per year — but certain changes require a reassessment before that clock runs out.

Any of these should trigger a risk assessment update:

  • New software or systems added to the environment (new EHR module, new patient communication platform)
  • New devices — especially portable devices, workstations added for new staff, or bring-your-own-device policies
  • Staff changes — new employees with ePHI access, departing employees, role changes that affect access levels
  • New workflows (telehealth, remote work, outsourced billing)
  • A security incident or near-miss — even one that didn't result in a breach
  • A change in the physical environment (office move, new workstations)
  • A new business associate relationship that involves ePHI access

That's a long list. For most practices, it means the risk assessment should be touched more than once a year — even if a full rewrite isn't required every time.

What OCR Looks For in an Audit

OCR's Phase 2 audit protocol and enforcement actions provide a consistent picture of what investigators actually examine:

  • Did the organization conduct a risk assessment?
  • Does it cover all ePHI — not just the primary EHR system?
  • Is it documented in a form that demonstrates actual analysis, not just a checklist?
  • Did the organization implement security measures based on what the assessment found?
  • Is there evidence of periodic review and updates?
  • Does the risk management plan show follow-through — or does it show a list of open items that were never acted on?

In OCR's 2023 enforcement actions, 73% of resolution agreements cited a deficient or missing risk analysis as a key violation — even in cases where the primary incident was something else entirely. A breach surfaces the missing assessment. The assessment becomes its own violation.

This is the pattern that catches practices off guard. They experience a phishing incident, a lost laptop, or a ransomware attack. OCR opens an investigation into the breach. During the investigation, they ask for the risk assessment. The practice produces something that doesn't meet the standard. Now there are two violations instead of one — and the risk assessment deficiency often carries its own penalty.

The Right Way to Think About It

A HIPAA Security Risk Assessment is not a compliance checkbox to be completed and filed. It's a structured process for actually finding out where your practice is vulnerable — and documenting what you're doing about it.

Practices that fare best in OCR investigations share a common profile: they have documented evidence that they looked for risks, made decisions about them, and implemented safeguards over time. They don't have to have been perfect. OCR has consistently shown willingness to work with organizations that demonstrate a genuine, documented effort at compliance — and much less willingness to work with organizations that have a filing cabinet full of paper that was never meant to reflect actual practice.

If OCR ever does open an investigation, the corrective action plan almost invariably starts with: conduct a proper risk assessment. That's the reset point. Starting from that point before an investigation is a significantly better position to be in.

If your risk assessment is a PDF you haven't opened in two years, or if you're not entirely sure you have one at all — that's the first conversation worth having. A proper assessment doesn't have to be complicated or expensive. But it does have to be real: current, complete, and connected to actual decisions about your actual systems.

That's the standard HIPAA sets, and it's the standard OCR enforces.