HIPAA Security does not begin with a policy binder, a firewall, a training module, or a signed Business Associate Agreement.
It begins with understanding risk.
That is why the HIPAA Security Risk Analysis, often called an SRA, is one of the most important activities a Covered Entity or Business Associate can complete. It is not just an IT checklist. It is not a quick scan of computers. It is not a document created only to satisfy an auditor.
A proper SRA is the foundation of a defensible HIPAA Security program.
It helps an organization identify where electronic protected health information, or ePHI, is created, received, maintained, transmitted, stored, accessed, and potentially exposed. It also helps leadership understand which risks must be addressed, who owns the corrective action, and how the organization will reduce vulnerabilities before they become costly incidents.
The time to act is NOW!!
The SRA Is Required Under the HIPAA Security Rule
The HIPAA Security Rule requires regulated organizations to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the Covered Entity or Business Associate.
This means the SRA is not optional.
It is a required part of the Security Management Process under the HIPAA Security Rule. Risk analysis and risk management are separate but connected obligations. First, the organization identifies risks and vulnerabilities. Then, it must implement security measures sufficient to reduce those risks and vulnerabilities to a reasonable and appropriate level.
In simple terms: you cannot properly manage risks you have not identified.
The SRA Is Not Just an IT Project
One of the most common mistakes organizations make is assigning the SRA only to the IT department.
Technology is important, but HIPAA Security is broader than computers, laptops, servers, and software. The Security Rule requires administrative, physical, and technical safeguards to protect ePHI. HHS explains that regulated entities must ensure the confidentiality, integrity, and availability of ePHI and protect against reasonably anticipated threats or hazards.
A meaningful SRA should review areas such as:
Human resources processes.
Employee onboarding and termination.
User access and role-based permissions.
Remote work and mobile devices.
Vendors and Business Associates.
Subcontractors that may touch ePHI.
Contracts and Business Associate Agreements.
Cloud platforms and third-party systems.
Physical access to workspaces and equipment.
Policies, procedures, and workforce training.
Incident response and contingency planning.
System activity review and monitoring.
Remediation tracking and leadership accountability.
If your SRA only looks at computers, it is likely incomplete.
The SRA Must Be Documented
An SRA that is discussed but not documented is difficult to defend.
Documentation matters because it shows what was reviewed, what risks were identified, how those risks were evaluated, what actions were recommended, who was assigned responsibility, and how progress will be monitored.
A documented SRA should help answer key questions:
Where does ePHI live?
Who has access to it?
How does ePHI move through the organization?
Which systems and vendors support it?
What vulnerabilities exist?
What safeguards are already in place?
What gaps remain?
What risks require immediate attention?
Who is responsible for fixing them?
When will corrective action be completed?
Without this documentation, an organization may struggle to prove that it took a thoughtful, accurate, and thorough approach to HIPAA Security.
The SRA Supports the Entire Compliance Program
The SRA is not an isolated activity. It should influence the rest of the HIPAA Security program.
A strong SRA helps guide:
Policy updates.
Workforce training priorities.
Access control decisions.
Vendor oversight.
Technology investments.
Incident response planning.
Contingency planning.
Audit readiness.
Leadership reporting.
Risk management and remediation.
HHS notes that risk analysis affects the implementation of all safeguards under the Security Rule because it helps the organization identify potential risks and vulnerabilities and determine which security measures are reasonable and appropriate.
This is why the SRA must come first. If the foundation is weak, the rest of the program may be built on assumptions.
A Missing or Weak SRA Can Create Serious Exposure
When an organization does not complete a proper SRA, the risk is not limited to one missing document.
A weak SRA can create a ripple effect across the compliance program. Policies may not reflect actual risks. Training may not address real workforce vulnerabilities. Vendors may not be properly reviewed. Access controls may be inconsistent. Technology gaps may go unresolved. Leadership may not know which risks require urgent attention.
During an audit, investigation, breach, or ransomware event, this can become a serious problem.
OCR enforcement activity continues to emphasize the importance of the Risk Analysis provision. In recent HIPAA Security Rule settlements, HHS has repeated that regulated organizations must conduct an accurate and thorough assessment of risks and vulnerabilities to ePHI.
The lesson is clear: regulators expect organizations to know their risks, document them, and take reasonable action to manage them.
Covered Entities and Business Associates Both Need to Pay Attention
The SRA requirement is not limited to healthcare providers.
Business Associates are also directly responsible for compliance with certain HIPAA requirements. HHS explains that Business Associates are directly liable for compliance with certain provisions of the HIPAA Rules.
This matters because many organizations rely on billing vendors, IT providers, consultants, cloud platforms, document storage companies, EHR vendors, and other third parties that may create, receive, maintain, or transmit ePHI.
If those vendors touch ePHI, they are part of the risk environment.
A Covered Entity should not assume that a signed agreement means all risk has been addressed. A Business Associate should not assume that a client’s SRA replaces its own. Each organization must understand and document its own risks based on its own systems, workforce, vendors, workflows, and safeguards.
The 2026 HIPAA Security Environment Raises the Stakes
Healthcare cybersecurity expectations are increasing. HHS has proposed updates to strengthen the HIPAA Security Rule, including proposals related to written risk assessments, stronger technical safeguards, and annual verification expectations for Business Associates and subcontractors.
Even as organizations monitor the final rulemaking process, the direction is clear. HIPAA Security programs are expected to become more documented, more detailed, and more accountable.
Organizations that delay their SRA may find themselves rushing to catch up later.
Now is the time to review whether your SRA includes current systems, remote work, cloud platforms, vendors, subcontractors, access controls, asset inventories, network pathways, policies, and remediation tracking.
The SRA Should Be Current, Practical, and Actionable
An SRA should not sit untouched in a folder.
Your organization changes. Your risks change with it.
An SRA should be reviewed when there are changes such as:
A new EHR system.
New billing or practice management software.
New vendors or subcontractors.
New locations.
Remote work changes.
Staffing changes.
New cloud applications.
Security incidents.
Mergers or acquisitions.
New devices or technology assets.
Changes in how ePHI is accessed, stored, or transmitted.
While HIPAA law does not explicitly mandate a rigid 12-month calendar interval, both federal guidance and industry best practices require organizations to conduct a full Security Risk Assessment (SRA) annually. While 45 CFR § 164.308(a)(1)(ii)(A) does not say "every 12 months," it does require organizations to perform "periodic evaluations" and update the assessment whenever new risks, organizational changes, or technology updates occur. Because operational environments change so rapidly, the Department of Health and Human Services (HHS) and compliance experts widely interpret this to mean conducting a comprehensive SRA at least once per year
In addition to 45 CFR § 164.308(a)(1)(ii)(A) there are other mandates such as the federal Promoting Interoperability and MIPS (Merit-based Incentive Payment Systems) that specifically require an annual SRA as a core baseline measure to receive incentives.
Also keep in mind that a current SRA should lead to action. It should produce a practical remediation plan that identifies priorities, owners, deadlines, and follow-up steps.
The goal is not to create paperwork for the sake of paperwork. The goal is to protect ePHI, reduce risk, and build a compliance program that can stand up to scrutiny.
Final Thought: Do Not Build HIPAA Security on Assumptions
A HIPAA Security program without a current, documented SRA is like a building without a stable foundation.
It may look complete from the outside. It may have policies, training, vendors, and technology tools. But if the organization has not properly identified and documented its risks, the entire program may be vulnerable.
The SRA gives leadership the visibility needed to make informed decisions. It helps compliance teams focus on the right priorities. It helps IT understand where safeguards are needed. It helps HR and operations recognize their role in protecting ePHI. It helps vendors and Business Associates understand that security responsibility does not stop at the contract.
Most importantly, it helps protect patients.
The time to act is NOW!!
How Taino Consultants Can Help
Taino Consultants helps Covered Entities, Business Associates, and healthcare organizations conduct practical, documented HIPAA Security Risk Analyses that go beyond generic checklists.
Our approach helps organizations identify risks across people, processes, technology, vendors, contracts, and workflows. We help translate the SRA into a clear remediation roadmap so leadership understands what needs to happen next.
If your organization has not completed a current, documented SRA, or if your existing SRA does not reflect how your organization operates today, now is the time to start.
Taino Consultants: Your Shield. Your Compliance.
About Dr. Jose I. Delgado
Dr. Jose I. Delgado is the founder and CEO of Taino Consultants, a veteran-owned, 8(a) graduate healthcare IT consulting firm based in St. Augustine, Florida. With over 30 years of experience in healthcare compliance and government contracting, Dr. Delgado has helped organizations navigate HIPAA, MACRA/MIPS, and federal IT security requirements.
Need help with healthcare compliance?
Taino Consultants provides HIPAA compliance consulting, MACRA/MIPS compliance support, and healthcare IT modernization services for government and private healthcare organizations.
Schedule a consultationRelated articles
Healthcare at a Crossroads: Compliance, Cybersecurity, AI, Revenue Management, and the New Financial Reality for Medical Practices
Mental Health Crisis at the Emergency Room Department
