HIPAA Security: Evaluations vs. Security Risk Analysis

What is the difference between HIPAA Security Evaluation versus HIPAA Security Risk Analysis (SRA)? Perhaps a better question should be: how many covered entities and business associates comply with the HIPAA Security Evaluation Standard?

As it is, I know of many Covered Entities that to this date have never completed a valid SRA. The tracking record of Business Associates and their subcontractors regarding the completion of SRAs is worse than that of covered entities. The worst part of this is that to this date and have never seen a completed HIPAA Security Evaluation from any Covered Entity or Business Associate.

The actual requirements Of HIPAA Security Evaluations and HIPAA Security SRAs read as follows:


“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”

RISK ANALYSIS (R) – § 164.308(a)(1)(ii)(A)

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

The key, as I interpret these requirements, is that the Evaluation Standard focuses on the entity’s policies and procedures while the Risk Analysis looks into an analysis of the entity’s potential security’s risks and the probability of the occurrence of the same. 

It is also important to notice that periodic evaluations must be performed in response to environmental or operational changes that affect the security of EPHI. The on-going evaluation should also be performed on a scheduled basis, such as annually or at the very least every two years. Risk analysis should also be conducted in response to changes. However, the consensus among healthcare professionals and organizations is that Risk Analysis should be conducted on an annual basis or when changes to the entity are implemented.

The bottomline is that while SRAs and Evaluations refer to different activities both of them require annual actions and a product indicating your findings.