The HIPAA Security Rule (45 CFR Part 164) requires covered entities and business associates to conduct regular Security Risk Assessments (SRA) as the cornerstone of their compliance program. The SRA is not optional — it is the explicit requirement of 45 CFR §164.308(a)(1)(ii)(A), and HHS Office for Civil Rights (OCR) has consistently cited absence of a valid risk analysis as the most common finding in HIPAA enforcement actions.
Without a documented, comprehensive SRA, organizations cannot demonstrate compliance with the Security Rule, regardless of how many technical controls they have deployed. The SRA is the foundation upon which all other HIPAA compliance activities rest — it identifies risks to Protected Health Information (PHI), drives risk management decisions, and documents the organization's security posture for auditors and regulators. This guide walks through what the SRA requires, who must comply, common violation patterns, and a practical checklist for healthcare organizations at any stage of their compliance journey.
The HIPAA Security Rule organizes its requirements across five distinct areas, each addressing a different dimension of PHI protection. The SRA must evaluate an organization's controls across all five areas to be considered complete by OCR standards.
It is important to understand the distinction between "required" and "addressable" implementation specifications within the Security Rule. Required specifications must be implemented exactly as described. Addressable specifications must be implemented if reasonable and appropriate — if not, the covered entity must document why and implement an equivalent alternative measure. "Addressable" does not mean optional; it means context-dependent. Encryption, for example, is an addressable specification, but OCR's guidance makes clear that it is expected in almost all circumstances.
HIPAA's reach extends well beyond hospitals and physician offices. The Security Rule applies to all covered entities and their business associates — and business associates must ensure their own subcontractors who handle PHI are also bound by equivalent protections through downstream BAAs.
| Entity Type | Examples | Security Rule Obligation |
|---|---|---|
| Healthcare Providers | Hospitals, clinics, physicians, dentists, pharmacies, nursing homes | Full Security Rule compliance required if transmitting PHI electronically |
| Health Plans | Health insurance issuers, HMOs, Medicare/Medicaid programs, employer-sponsored health plans with 50+ participants | Full Security Rule compliance required |
| Healthcare Clearinghouses | Billing services, repricing companies, community health management information systems | Full Security Rule compliance required |
| Business Associates | Cloud service providers, EHR vendors, medical transcriptionists, legal firms, IT service providers, data analytics companies handling PHI | Security Rule compliance required; BAA with covered entity mandatory |
| Subcontractors of BAs | Any vendor of a business associate that handles, stores, or processes PHI on the BA's behalf | Must enter BAA with the business associate; treated as BA for Security Rule purposes |
Business Associate Alert: Many technology vendors are surprised to learn they qualify as HIPAA business associates. If your company provides services to healthcare organizations that involve accessing, storing, or processing PHI — including cloud infrastructure, data backup, analytics platforms, or support services — you are a business associate and must comply with the full Security Rule, not just the terms of a BAA. A BAA does not substitute for Security Rule compliance; it documents that compliance is required.
HHS OCR publishes enforcement statistics and resolution agreements that provide a clear picture of the most common compliance failures. Understanding these patterns allows organizations to prioritize their SRA efforts on the areas most likely to attract regulatory attention — and most likely to cause actual PHI harm.
Average resolution agreement value for large covered entity breaches involving hacking or unauthorized access to PHI. Insufficient technical safeguards are the primary driver.
Failure to conduct a compliant risk analysis is the single most cited violation in OCR enforcement actions — appearing in over 80% of multi-year investigation settlements.
The Breach Notification Rule requires notification to HHS and affected individuals within 60 days of discovery. Violations of this timeline are a frequent enforcement trigger.
Failure to execute Business Associate Agreements before sharing PHI with third parties — or using outdated BAA templates that don't include Security Rule language — is common and expensive.
The §164.312(a)(1) requirement for access controls is one of the most technically nuanced areas of the Security Rule. Failures include: shared login credentials among staff, no automatic logoff after inactivity, no audit trail showing who accessed specific PHI records, excessive access privileges beyond what clinical or operational roles require, and insufficient termination procedures that allow former employees to retain access. Workforce access management directly intersects with §164.308(a)(3), the workforce clearance procedure implementation specification.
While encryption is an "addressable" specification, OCR enforcement data makes clear that organizations routinely face significant penalties for unencrypted PHI — particularly on laptops, mobile devices, and portable media. §164.312(a)(2)(iv) addresses encryption and decryption of PHI at rest; §164.312(e)(2)(ii) covers PHI in transit. Device theft and loss involving unencrypted PHI triggers breach notification requirements and is one of the most common root causes of HHS Wall of Shame entries.
§164.308(a)(5) requires security awareness and training programs that cover topics including phishing recognition, password management, PHI handling procedures, and reporting procedures for suspected violations. Regulators look not just for evidence that training was conducted, but that it is periodic (at least annual for most organizations), role-appropriate, and that completion is documented with records retained.
The contingency plan requirements (§164.308(a)(7)) are often overlooked until a ransomware attack forces the issue. Required elements include a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and applications and data criticality analysis. Many organizations have backup procedures but lack documented emergency operation procedures, criticality analysis, or evidence that contingency plans have been tested.
Need to complete your HIPAA Security Risk Assessment? Our free tool walks you through all five safeguard areas and generates a risk score with gap identification in under 10 minutes.
Take the Free HIPAA SRA Tool →This 12-point checklist covers the foundational elements that OCR reviewers evaluate during HIPAA investigations. Organizations that can produce written evidence for each item are significantly better positioned to demonstrate a good faith compliance program, which is a key factor in penalty mitigation under the tiered civil money penalty structure.
OCR's guidance on conducting a Security Risk Analysis identifies a structured eight-step process. The HHS SRA Tool (available from HealthIT.gov) provides a structured interview format suitable for small to medium practices. Larger organizations typically require a more comprehensive methodology using dedicated risk management frameworks such as NIST SP 800-30 or NIST SP 800-66r2, which provides specific guidance on applying NIST risk management to HIPAA compliance.
Define all systems, applications, locations, and processes where PHI exists or transits.
Document how PHI enters, moves through, and exits the organization, including all third parties.
Identify all reasonably anticipated threats to PHI — technical, physical, human, and natural.
Identify security vulnerabilities that could allow threats to occur: technical gaps, process failures, and configuration weaknesses.
Assess the probability that each threat will exploit an identified vulnerability and the impact on PHI confidentiality, integrity, and availability.
Calculate composite risk scores (Likelihood × Impact) and prioritize risks for treatment.
Evaluate current security measures against identified risks. Determine whether controls are sufficient to reduce risk to an acceptable level.
Document remaining risk after controls are accounted for. Risk management decisions — treat, transfer, tolerate — documented for each residual risk.
The Security Rule does not specify a mandatory frequency for the risk analysis, but OCR guidance and enforcement actions consistently indicate that annual reviews are the accepted baseline. Beyond annual review, the SRA must be updated when significant environmental or operational changes occur: adoption of new technology (particularly EHR systems, cloud platforms, or telehealth solutions), mergers and acquisitions, significant workforce changes, new business lines involving PHI, and following any security incident or breach that identified previously unrecognized vulnerabilities.
HIPAA Security Rule documentation — including risk analyses, risk management plans, policies, training records, and BAAs — must be retained for six years from the date of creation or the date it was last in effect, whichever is later. This means your 2022 SRA should be accessible and reviewable by OCR investigators through at least 2028. Electronic retention with version control and access logging is considered best practice.
The contingency plan testing requirement (§164.308(a)(7)(ii)(D)) does not specify tabletop exercises by name, but HHS guidance acknowledges testing and revision as core requirements. Healthcare organizations that conduct structured tabletop exercises simulating ransomware attacks against PHI systems, medical device compromises, and insider threat scenarios are building documented evidence of contingency plan testing that directly supports HIPAA compliance — and are simultaneously building the muscle memory their teams need to respond effectively in real incidents.
Skyhigh Cybersecurity's platform includes healthcare-specific tabletop scenarios addressing hospital BMS compromises, medical device network attacks, and health system ransomware response — all with built-in After Action Report generation that produces audit-ready documentation for HIPAA contingency plan testing records.
Our free HIPAA SRA tool guides you through all five safeguard areas — administrative, physical, technical, breach notification, and organizational requirements. Get a compliance score, gap identification, and risk remediation guidance in under 10 minutes.
Take the Free HIPAA SRA Tool →No credit card required. Aligned to 45 CFR Part 164. Suitable for covered entities and business associates.