HIPAA Security Risk Assessment preparation guide

A Security Risk Assessment is a structured review of how a practice creates, receives, maintains, and transmits electronic protected health information. The assessment evaluates the technical, physical, and administrative safeguards the practice has in place, and identifies where gaps or vulnerabilities exist. It is not primarily about whether the practice has been breached; it is about whether the practice has organized and maintained appropriate protections for ePHI.

The SRA process is distinct from a compliance audit. Where an audit evaluates past conduct, an SRA is designed to identify current risk and inform remediation planning. The output of an SRA is typically a risk report that documents findings, rates their severity, and supports a prioritized corrective action plan.

The scope of an SRA encompasses all systems, locations, and workflows where ePHI is created, stored, accessed, or transmitted. This includes EHR systems, practice management software, email, cloud storage, portable devices, fax machines, and any third-party services that touch ePHI. Understanding the full scope before the assessment begins prevents important systems or workflows from being overlooked.

• Create an inventory of all systems and applications that store or transmit ePHI
• Include physical locations where ePHI is accessed, not just electronic systems
• Identify all workforce members who have access to ePHI
• Document all third-party services and vendors that access ePHI as part of their service
• Confirm that the scope includes mobile devices, remote access, and cloud services

Documentation organization is one of the most practical steps a practice can take before an SRA. Assessors typically request current policies and procedures, access logs, training records, Business Associate Agreements, and evidence of prior security activities. Practices that can produce these materials quickly demonstrate organizational readiness, and spend less time scrambling during the review itself.

• Current HIPAA Privacy and Security policies and procedures
• Business Associate Agreements with all applicable vendors and service providers
• Workforce training records, initial and annual training completion logs
• User access logs and access control documentation
• Any prior SRA reports and associated corrective action plans
• Incident logs documenting any prior security incidents or breaches
• Physical security documentation, facility access controls and device inventory

While every SRA is structured differently depending on who conducts it and what tool or methodology is used, most assessments review a consistent set of HIPAA Security Rule safeguard categories: administrative safeguards (policies, training, workforce management), physical safeguards (facility controls, device management), and technical safeguards (access controls, encryption, audit controls, transmission security).

Practices that review these categories ahead of the assessment, and identify obvious gaps, are often able to address the easiest corrective actions before the SRA begins, which results in a cleaner finding set and a more manageable remediation workload.

The SRA itself produces findings, a list of identified risks and vulnerabilities organized by severity. What a practice does with those findings is as important as the assessment itself. HIPAA requires that identified risks be addressed through a risk management plan, documented corrective actions with timelines, ownership, and status tracking. A well-organized SRA output document, combined with a structured remediation plan, supports ongoing compliance readiness and helps practices demonstrate progress in addressing identified gaps. This planning process should be reviewed with appropriate compliance advisors where needed.

• Document all findings from the SRA in an organized risk register
• Prioritize findings by severity and likely impact
• Assign ownership and target completion dates for each corrective action
• Track remediation progress on a defined schedule
• Archive the SRA report and corrective action documentation for future reference