A HIPAA Security Risk Analysis, often called an SRA, does not stop at the walls of a medical office, hospital, clinic, billing company, or healthcare organization. In today’s healthcare environment, electronic protected health information, or ePHI, moves through many hands, systems, vendors, platforms, consultants, subcontractors, cloud tools, billing services, IT support providers, and third-party workflows.
That means the risk does not stay in one place.
It ripples.
For Covered Entities and Business Associates, this is one of the most important concepts to understand. If a partner, vendor, or subcontractor touches ePHI, their security practices can affect your compliance posture, your patients, your operations, and your exposure during an audit or investigation.
The time to act is NOW!!
The HIPAA SRA Is Not Just a Covered Entity Requirement
Many healthcare organizations mistakenly believe the HIPAA Security Risk Analysis is only a requirement for Covered Entities. That is not correct.
The HIPAA Security Rule requires Covered Entities and Business Associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI they hold. This is not optional. It is a required part of the HIPAA Security Rule.
Business Associates may include billing companies, IT vendors, cloud storage providers, consultants, practice management vendors, software companies, document management providers, legal or accounting vendors with access to ePHI, and other organizations that create, receive, maintain, or transmit ePHI on behalf of a Covered Entity.
If those organizations use subcontractors that also touch ePHI, the risk chain continues.
This is why an SRA must look beyond internal computers and laptops. It must consider the full environment where ePHI lives, moves, or may be exposed.
Your Vendor’s Risk Can Become Your Risk
A Business Associate Agreement is important, but it is not the same thing as risk management.
Signing an agreement does not automatically mean a vendor has strong access controls, trained staff, proper termination procedures, secure remote access, updated systems, documented policies, or a current SRA. It simply creates a contractual framework for how ePHI should be protected.
The real question is this:
Does your organization know whether vendors and subcontractors that touch ePHI have actually identified and managed their own risks?
If the answer is no, your organization may be relying on assumptions. In healthcare compliance, assumptions can become expensive.
A strong SRA should help identify which third parties touch ePHI, what systems they use, what access they have, what safeguards are expected, whether Business Associate Agreements are current, and whether any vendor-related risks require corrective action.
The Ripple Effect: One Gap Can Create Many Problems
Think of the SRA like a stone dropped into water. One missing review, one weak vendor process, or one undocumented workflow can create ripples across the entire compliance program.
A weak SRA can affect:
Contracts and Business Associate Agreements
If vendors are not properly identified, agreements may be missing, outdated, or incomplete.Human Resources and Access Control
If onboarding and termination processes are not reviewed, former employees or contractors may retain access longer than they should.Technology and Systems
If ePHI is stored in cloud tools, email platforms, EHR systems, billing systems, mobile devices, or shared drives, those systems must be evaluated.Subcontractor Oversight
If a vendor relies on another vendor, your organization may not fully understand where ePHI is going.Risk Management and Remediation
If risks are not documented, assigned, prioritized, and tracked, the organization may not be able to prove that it took reasonable action.
The SRA is not simply a report. It is the foundation for a defensible compliance program.
Why 2026 HIPAA Security Changes Matter Now
The healthcare industry is moving toward stronger cybersecurity expectations, better documentation, and clearer accountability. HHS issued a proposed rule to strengthen the HIPAA Security Rule, including proposed requirements related to written risk assessments, technology asset inventories, and network maps showing the movement of ePHI throughout electronic information systems.
Although organizations should monitor the final rulemaking process, the direction is clear: healthcare organizations and Business Associates should prepare for more detailed documentation, stronger visibility into systems, and greater attention to how ePHI moves across internal and external environments.
This is why waiting is dangerous.
If your organization waits until the last minute, you may find that your current SRA does not adequately address vendor oversight, subcontractors, cloud platforms, network mapping, access controls, remediation tracking, or operational changes.
A rushed SRA completed after a breach, audit, complaint, or regulatory deadline may not carry the same credibility as a thoughtful, documented process completed proactively.
The Annual SRA Should Be Treated as a Priority
An SRA should not be treated as a once-in-a-while paperwork exercise. It should be reviewed and updated when your organization changes.
Common triggers include:
A new EHR or billing system.
A new vendor or subcontractor.
Remote work expansion.
Cloud storage changes.
New locations.
New lines of service.
Staffing changes.
Security incidents.
Mergers, acquisitions, or restructuring.
New technology assets.
Changes in how ePHI is accessed, stored, or transmitted.
HHS’s proposed Security Rule updates also point toward stronger expectations for written assessments and ongoing updates when operational or environmental changes affect ePHI.
The message is simple: your SRA must reflect how your organization actually operates today, not how it operated years ago.
What Covered Entities Should Ask Their Business Associates
Covered Entities should not assume that Business Associates are prepared. They should ask practical, documented questions such as:
Have you completed a HIPAA Security Risk Analysisevery calendar year?
Does your SRA include and inventory of devices that create, receive, maintain, or transmit ePHI?
Do you use subcontractors that touch ePHI?
Do you maintain a current technology asset inventory?
Do you document access controls and user termination procedures?
Do you have a remediation plan for identified risks?
Can you provide evidence of security policies, training, and risk management activities?
The purpose is not to overwhelm vendors. The purpose is to protect patients, strengthen accountability, and reduce avoidable risk.
What Business Associates Should Do Now
Business Associates should not wait for clients to ask. They should prepare now by reviewing their own security posture, documenting their SRA, identifying subcontractors, updating agreements, reviewing access controls, and creating a remediation plan.
A Business Associate that can demonstrate a thoughtful, current, and documented risk analysis may have a competitive advantage. It shows Covered Entities that the organization understands its responsibilities and takes ePHI protection seriously.
The Cost of Waiting Can Be Significant
Failure to conduct a proper SRA can create serious exposure, especially if the organization has ignored known risks or failed to correct identified gaps. HIPAA civil monetary penalties are adjusted for inflation, and penalty levels depend on factors such as culpability, correction, and willful neglect.
The point is not to scare organizations without purpose. The point is to make the priority clear.
A documented SRA is one of the most important actions a Covered Entity or Business Associate can take to understand risk, support compliance, protect patients, and prepare for future HIPAA Security expectations.
Final Thought: One Good SRA Can Protect the Entire Risk Chain
The SRA ripple effect can work against you, but it can also work for you.
When an organization completes a meaningful, documented SRA, it creates positive ripples across the compliance program. It improves vendor oversight. It strengthens policies. It informs training. It supports better access control. It identifies technology gaps. It helps leadership prioritize resources. It creates a roadmap for remediation.
Most importantly, it helps protect ePHI.
The time to act is NOW!! Do not wait for the ripple to become a wave.
How Taino Consultants Can Help
Taino Consultants helps Covered Entities, Business Associates, and healthcare vendors evaluate their HIPAA Security Risk Analysis process, identify gaps, organize documentation, and build practical remediation plans. Our goal is to help organizations move beyond generic checklists and toward a stronger, more defensible compliance program.
If your organization has not completed a current, documented SRA, or if your SRA does not include Business Associates, subcontractors, technology assets, workflows, and remediation tracking, now is the time to start.
Taino Consultants: Your Shield. Your Compliance.
About Dr. Jose I. Delgado
Dr. Jose I. Delgado is the founder and CEO of Taino Consultants, a veteran-owned, 8(a) graduate healthcare IT consulting firm based in St. Augustine, Florida. With over 30 years of experience in healthcare compliance and government contracting, Dr. Delgado has helped organizations navigate HIPAA, MACRA/MIPS, and federal IT security requirements.
Need help with healthcare compliance?
Taino Consultants provides HIPAA compliance consulting, MACRA/MIPS compliance support, and healthcare IT modernization services for government and private healthcare organizations.
Schedule a consultationRelated articles
The HIPAA Security Risk Analysis: The Foundation Most Organizations Cannot Afford to Ignore
Healthcare at a Crossroads: Compliance, Cybersecurity, AI, Revenue Management, and the New Financial Reality for Medical Practices
